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Q.1. Define abstract algebra. 

Ans. A non-empty set G equipped with one or more binary operations is 
said to be an algebraic structure. Suppose * is a binary operation on G Then 
(G, *) is an algebraic structure. (N, +), (L +), (L —, (R, +, *) are all algebraic 
structure. Here (R, +, .) is an algebraic structure equipped with two operations. 
Some algebraic structures are group, ring and field. 


Q.2. Write properties of an algebraic system. 
Ans. By a property of an algebraic system, we mean a property possessed 
by any of its operations. Important properties of an algebraic system are — 
(i) Associative and Commutative Laws — An operation * on a set S 


is said to be associative or to satisfy the associative law if, for any elements a, 


b, c in S, we have 
i (a*b) *c=a*(b*C) 
“An operation * on a set S is said to be commutative or satisfy the 
commutative law if 
a*b=b*a 
For any elements, a, b in S. 


(ii) Identity Element and Inverses — Cons 
S. An element e in S is called an identity element for 
a*e=e*a=a 
Generally, an element e is called a left identity or a right identity according 
+ =a ór a * e = a where a is any element in S. i `. 


ME 


ider an operation * on a set 
* if, for any element a in S, 


ase 
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Suppose an operation * on a set S does have an identity 
inverse of an element in S is an element b such that 


a*tb=b*a=e 


Clement e 


The 


(iii) Cancelation Laws — An operation * on a set S ba 
the left cancelation law if 
a * b =a * c implies b = c 
and is said to satisfy the right cancelation law if 
b * a = c * a implies b = c 


id to Satisfy 


0.3. What is group ? 

Ans. A system consisting of a non-empty set G of elements a, b, c ete 
with an operation is said to be a group provided the following postulates at 
satisfied — 

(i) Closure Property — For all a, b e G>a.beG 

i.e., G is closed under the operation ‘.’. 

(ii) Associativity — (a.b).c = a.(b.c), x a, b,c e G 

i.e., the binary operation ‘.’ over G is associative. 


(iii) Existence of Identity — There exists an unique element in G 
such that, e.a = a = a.e, for every a e G. This element e is called the identity. 


(iv) Existence of Inverse — For each a e G, there exists an element 
a! e G such that a.a! = e = a”! a ; vies 


The element a”! is called the inverse of a. . 
Abelian or Commutative Group — A group G is said to be abelian ot 


commutative if in addition to the above four postulates the following postulate 
is also satisfied. 


(v) Commutativity — a.b = b.a, for every a, b e G. 
Q.4. Define the ring with example. | i | t 
Ans. Definition 1 — An algebraic structure (R, +, °) consisting of à U 
empty set Rand two binary operation, called addition (+) and multiplication 
Is called a ring provided the following postulates are satisfied — f ; 
R, — The system (R, +) is an abelian group. So we have the following 
properties — 
; ct to the 
_( Closure Property — The set R is closed with respect t° 
composition +, N 


i.e., aER, beR>a+beR vabeR š j ; 


Oras AG) Ret ye 
t skew field if'it (i) has unity, (ii) is such that each non-z 
Ultiplicative inverse’, tfe i 
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(ii) Associativity — Associative law holds good in the set R for the 


composition + 
(a+b)+c=at(b+c),va,b,ceR 
(iii) Existence of Identity (or Zero) — There exists an unique QER 
(called zero element) such that 
a+tO=a=OtavaeR 


i.e; 


(iv) Existence of Inverse (or negative) — For each ae R, there exists - 
an element — a € R, such that a + (~a) = 0 = (= a) +a. 
(v) Commutative of Addition — Commutative law holds good in 
the set R for the composition + 
i.e, atb=bta,va,beR 
R, — The set R is closed with respect to the multiplication composition. 
i.e., abeR,~a,beR. 
R, — Multiplication composition is associative i.e., (a.b).c = a.(b.c), 
wa,b,c e R. 
R, — The multiplication composition is right and left distributive with 
respect to addition. 


(left distributive law) 
(right distributive law). 
Definition 2 — An algebraic (or mathematical) system (R, *, o) consisting 
of a non-empty set R any two binary operations * and o defined on R such that 
(i) (R, *) is an abelian group; 
' i (ü) (R, o) is a semigroup and 


i.e., a.(b + c) = a.b + a.c.,x a,b,c e R 
ad (b + c).a = b.a + c.a 


(iii) the operation o is distributive over the operation * is said to be 
the ring. 
0.5. Write short note on fields. 
Ans. A ring R with at least two elements is called a field if, 
° (i) itis commutative 
Gi) it has unity | , 
, (iii) itis such that each non-zero element possesses multiplicative inverse. 
alee aa 7 The ring of rational numbers (Q, +, -) is a field since it is a 
g with unity and each non-zero element is inversible. 


Skew Field — A ring R with at least two elements is called a division ring 
ero element possesses 


` 
` “<> 
Ñ 
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number theory: 


.6. Define š 
p We will be outlining several topics fou number theory Which w 
Ans. We plore the mathematics behind the cryptography, ° 


will need in order to ex . 
finition (i) — Suppose we have two integers a and b with a z g 
Definit that we can write b = ac then we say that a divides b, ¢ 
exists SO n we Will use the notation a | b which is read 


If an 
T that 


integer C 
as “a 


a is a divisor of b. Ofte 
divides b”. 
l Suppose we have 
That is, d | a and d | b, 
use d is a divisor of both a and b then we can write a = dj ang 
b= dk yaka integers j and k. Then ra + sb = r(dj) + s(dk) = d(rj + s. 
+ sk) is an integer then it follows that d | (ra + sb). m 


two integers a and b with a common divisor d x 0 
then we will have d | (ra + sb) for any integers r ang ‘ 


Since (rj 
Proposition — Given two non-negative integers a and b, witha = 0, there 
exists a pair of unique integers q and r with 0 < r p a such that b = aq + r. We 
call q the quotient and r the remainder when b is divided by a. 
Finding such a quotient and remainder is what we find when performing 
long division. After doing long division it is sometimes common to represent 


b f . a 
the ratio of b divided by a as ie q+ P but we can see that this statement is 


equivalent to the statement b = aq + r given in the proposition above. 


Definition (ii) — The greatest common divisor of two non-zero. integers 
a and b is the largest integer c such that c divides both a and b. This is denoted 
by gcd (a, b) = c or sometimes by (a, b) = c, however we will use the former 
notation in this text. If the greatest common divisor of a and b is | then we say 
that a and b are relatively prime. 


There is a very useful procedure for computing the greatest common 
divisor of two positive integers. It is known as the Euclidean algorithm. Letus 
suppose we have two positive integers a and b, with a < b and let d = geda, 
b). By proposition we can write b = aq; + rl with 0 <r, < a. Then because 
d | aand d |b it follows that d | T}, Since we can write r; = b — aqi- So then d 
is common divisor of a and r}. Continuing the process, next we writea =" 
+ rə- Now, because d | a and d | r, we have d | r, because we can write rz 
a > To. So similar ly, we can conclude that d is also a common divisor of f! 
een a dat Process we continue until we obtain an Tk + = 0. . 
e - i We can see that the process will terminate because by 
apaspan he a Yama with each iteration, but remain non-negative © 
y we must reach a remainder óf zero. ! 
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It should be clear that r, is a common divisor of a and b, but we will omit 
the proof that rk is actually the greatest common divisor. Let us do a few 
examples to better understand this algorithm. 

Example — Find gced(522, 213). First divide 522 by 213. 

522 = 213(2) + 96 
Next, divide 213 by the remainder 96 and continue this process. 
213 = 96(2) + 21 
96 = 21(4) + 12 


21 = 12(1)+9 
12=9(1) +3 
9 = 3(3) + 0. 


So ged(522, 213) = 3. 


Definition (iii) — We say that a number p is prime if it is an integer 
greater than 1, whose only positive divisors are 1 and itself. An integer greater 
than 1 which is not prime is said to be composite. 


Theorem — The fundamental theorem of arithmetic — Given an integer 
greater than 1 we can write that integer as a unique product of primes (up to 
reordering of the factors). 


Example — 10 = 2.5, since 2 and 5 are prime. 7800 = 23.3.52.13 because 
2, 3, 5, and 13 are prime. 23 = 23 since 23 is a prime number. 


-Definition (iv) — For a positive integer m, which we will call our modulus, 
we say’ that two integers a and b are congruent modulo m if m | (a — b) or 
equivalently ifa and b have the same remainder when divided by m. Symbolically 
this is written as a= b (mod m) which is read as “a is congruent to be mode m”. 


Example — 23 is congruent to 3 modulo 10 since 10 | (23 — 3) = 20. Also 
we have 59 = — 6 (mod 13) because 13 | (59 — (= 6)) = 65. We find though, 
7 # 3 (mod 5) since 5 | (7 — 3) = 4. 


Q.7. Define greatest common divisor. 

Ans. One integer often needed in 
cryptography is the greatest common Divisors of 140 Divisors of 12 
divisor of two positive integers. Two 5 7 14 23 ag 
Positive integers may have many common Çe "x w” 52 
divisors but only one greatest common anes Dirion 
divisor, the common divisors of 12 and of 140 and 12 


140 are 1, 2 and 4. However, the greatest Fig. 1.1 Common Divisors of 
common divisor is 4 as shown in fig. 1.1. |... Two Integers y . 
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odulo arithmetic with its properties, 


cr and let n be a positive integer. Let q and rhe 
ined from dividing d by n. The relationship betwee, 
n 


8 cryptography & 
0.8. Describe m 
Ans. Let d be an integ 

quotient and remainder obta 


d, n, q and ris d=n*qtt, O<r<n 


where ris a non-negative integer less than n. d and n are the dividend and the 
divisor, respectively. We can say d is equar'le r modulo n” if the remainder 
obtained from dividing d by n is r. This is expressed as 

r = d(mod n) 


Fig. 1.2 Equivalence Classes Modulo 8 ‘ 
Any two numbers in the set {...., — 37, — 27, — 17, — 7, 3, 13, 23, 33, 
ng are said to be congruent modulo 10 and the set itself is referred toas? 
gruence class. It is helpful to visualize the “modulo n relationship” using 


ae Pb sea laid out along a spiral with n integers on a SI ; 
we traverse the s iral Ü we encounter the positive integers in ae A 
sq nsn a i £ reac while the negative numbers are encounter " 
`“ along a given radi spiral in the anti-clockwise direction. The set of elemen” 

adius Constitute one of the congruence classes modulo n. Ther 
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are n congruence classes mod n. It is convenient to represent a class by the 
smallest non-negative integer in that class. 

Two distinct integers, a and b, that are congruent modulo n map to the 
same radius in the spiral. Counting from a to b involves one or more revolutions. 
It follows that — if two integers are congruent modulo n, then they differ by an 
integral multiple of n. Algebraically, if 

amodn=r and bmodn=r 
then a=n*q,+r and b=n*q, +r 
where q, and q, are integers. 
Subtracting, we get 
a—b=n(q, - q?) 
Since q, and q, are integers, a and b differ by an integral multipe of n. 
Many useful properties of modulo arithmetic are as follows — 
(i) (a+b) mod n = ((a mod n) + (b mod n)) mod n I 
(ii) (a — b) mod n = ((a mod n) — (b mod n)) mod n 
(iii) (a * b) mod n = ((a mod n) * (b mod n)) mod n 

These properties are useful in cryptography. In cryptography, we often 
have to perform computations such as multiplying a large number of term 
itself being a very large number. For example, we may have to multiply 50 
integers, each about 1000 digits long. 

i (a, *a,)*a,....* aço) mod n 

In the worst case, the size of a, *a, will be 2000 digits, the size of a,*a,*a, 
will be 3000 digits. Property (iii), however, tells us that we could “reduce 
modulo n” each intermediate product before mutiplying by the next term. For 
example, we could 

Compute the product a,*a, 

reduce, i.e., compute b = (a,*a,) mod n 

compute the product b*a, 

reduce, i.e., compute (b*a,) mod n 
but, we are restricting the size of each intermediate result. In particular, if n is 
roughly 1000 digits, then the length of the intermediate results after a 
multiplication and a reduction is no more than 2000 and 1000 digits, respectively. 


0.9. What is the difference between modular arithmetic and ordinary 
arithmetic ? List three classes of polynomial arithmetic. (R.GP.V., June 2013) 


Ans. In ordinary arithmetic, the division relationship (a = q x n + r) has 
two inputs a and n and two outputs (q and r). In modular arithmetic, we are 
interested in only one of the outputs, the remainder r. It means that we want to 


know what is the value of r when we divide a by n and the division relation is 
a mod n = r. 
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Polynomial Arithmeti 


ithmetic — . 
i) Ordinary 


c Classes — There are three classes of polyn 
Omia 


polynomial arithmetic, using the basic rules o 
(ii) Polynomial arithmetic in which the arithmetic on the co 
¿s performed modulo p. That is, the coefficients are in Z : 
is perlo ii) Polynomial arithmetic in which the coefficients are in Ze 
5 defined modulo a polynomial m(x) whose highest > "d 


f al geb 
ra, 
efficient. 


the polynomials are 
is some integer n. 

0.10. Define the term modular inverse. 

Ans. Definition (i) — Given an integer a and a positive integern, Satisfying 
gcd(a, n) = 1, we define the multiplicative inverse of a modulo n to be = 
integer dsuch that ad = 1 (mod n). This d is sometimes represented symbolically 
byd=al. f f | 

The Euclidean algorithm which we described earlier can provide 3 
convenient way of finding multiplicative inverses modulo n. The way we can 
do this is by first using the algorithm to show that gcd(a, n) = 1. We then 
work backwards through the equations that were found in order to represent 
| =ad +nc for some integers d and c. We then will have that the multiplicative 
inverse of a modulo n is d. This is because if we consider the equation’ 1 = ad 
+ nc modulo n then we see — = 

l = ad + nc = ad + 0 = ad (mod n). 
m Let us do a few examples to see how this works. 


Example — Find the multiplicative inverse of 9 modulo 32. First let us 
perform the Euclidean algorithm to show that ged (32, 9) = 1; this is seen in 
the left hand column below. At each step we will also solve for the remainder 
in the equation, which can be seen in the right hand column below. These 
remainder equations are then labeled in a reverse ordering for later reference. 


t power 


32=93)+5 > 5 =32 — 9(3) (ii) 
9=5(1)+4 +> 4=9-5(1) ...(ii) 
S=41)+1 >  1=5-4(1) i 


Now we work backwards through these equations. First we use the last 
equation (i) which states 1 = [5 — 4(1)]. Next we use the second to last 
ees (ii) to substitute 4 = [9 — 5(1)] into our previous expression. We the? 
i Tita e oup our terms to obtain an expression of | = 9j + 5k for some 
terms toy ore Lastly we will replace 5 = [32 —9(3)] (iii) and again group 0 

s to obtain the desired equation in terms of 32 and 9. 

1= [5 - 4(1)] (i) 
=5-[9~5(1)] i) 
=5-9 + 5 distribute 

= 9(-1) + 5(2) group terms 
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= 9(—-1) + 2[32 — 9(3)] ..-(iil) 
= 9(-1) + 32(2) + 9(-6) distribute 
= 32(2) + 9(-7) group terms. 
Thus we see that 9-! = —7 = 25 (mod 32). We can confirm this by 
checking that 9(—7) = —63 = 1 (mod 32). 


Q.11. Discuss the extended Euclidean algorithm. 


Ans. Given two integers a and b, we often need to find two integers, s 

and t, such that 
sxa+tt b= gcd (a, b) 

The extended Euclidean algorithm can calculate the gcd(a, b) and at the 
same time calculate the value of s and t. The algorithm and process is shown 
in fig. 1.3. The extended Euclidean algorithm uses the same number of steps 
as the Euclidean algorithm. However, in each step, we use three sets of 
calculations and exchanges instead of one. The algorithm uses three sets of 
variables, r’s, s’s and t’s. 


(a) Process 


(Initialization) 


while (r; > 0) 
{ 


q¢1ry/r2; 
Perne (Updating t’s) 
} 


gcd (a,b) — ri; s& s1; teti 
(b) Algorithm 
Fig. 1.3 Extended Euclidean Algorithm 
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In each step. ry 2 and r have heme ee woe Facida 
sable r, and r, are initialized to the values of a and b. res 
ese and S> are initialized to l and 0 respectively. The va 
are initialized to 0 and 1. respectively. The calculations ofr, sand tare a t 
with one warning. Although r is the remainder of dividing r; by fos there fi 
such relationship between the Stee Oey TUES eoliano Quotient 
which is calculated as r,/r, and used for the other two calculations, 


an al or 

T 
Pective] thm, 
Nables t ` ‘De 


0 


0.12. Explain Euclidean algorithm for finding the greatest common divs 
Ans. Finding the greatest common divisor (gcd) of two positive inte Or, 
by listing all common divisor is not practical when the two integers are] š 
Fortunately, more than 2000 years ago a mathematician named Euclid develo e, 
an algorithm that can find the greatest common divisor oftwo positive integer 
This algorithm is based on the following two facts — TS. 
(i) ged (a,0)=a 
(ii) ged (a, b) = ged (b, r) where r is the remainder of dividing a byb 
The first fact tells us that if the second integers is 0, then the greatest 
common divisor is the first integer. The second fact allows us to change the 
value of a, b until b becomes 0. For example, to calculate the gcd (36, 10), we 
can use the second fact several times and the first fact once, as shown below, 
gcd(36, 10) = ged(10, 6) = gcd (6, 4) = gcd(4, 2) = ged(2, 0)=2 
In other words, gcd(36, 10) = 2, gcd(10, 6) = 2, and so on. This means 
that instead of calculating gcd(36, 10), we can find gcd (2, 0). Fig. 1.4 shows 
g 
how we use the above two facts to calculate gcd(a, b). 


} 
gcd (a, b) — ry 


geda, b)=r; 
(a) Process (b) Algorithm 
Fig. 1.4 Euclidean Algorithm i 
We use two variables, r, and r,, to hold the changing values during the 
Sa of reduction. They are initialized to a and b. In each step, we calculate 
e remainder of r, divided by r, and store the result in the variable r. We then 


replace r, by r, and r, b i i 
2 And ry by r. The steps are continued until r, becomes 0. At 
moment, we stop. The ged (a, b) is r}. i 


~~ 


| 
i 
! 
i 
I 
l 
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0.13. What is Euler’s totient ? (R.GP.V., June 2016) 
Ans. For calculating the inverse modulo n, there is another method, but it 
-not always possible to use it. The reduced set of residues mod n is the subset 
uke complete set of residues which is relatively prime to n. For instance, the 
diced set of residues mod 12 is {1, 5, 7, 11}. When n is prime, then the 
reduced set of residues mod n is the set of all numbers from 1 to n — 1. The 
number 0 is not piece of the reduced set of residues for any n not equal to 1. 
The Euler totient function is also known as Euler phi function. The 
Euler totient function is written as $(n). ¢(n) is the number of elements in the 
reduced set of residues modulo n. In other words, $(n) is the number of 
positive integers less than n that are relatively prime to n (for any n greater 
than 1). When n is prime, then $(n) = n— 1. When n = pq, where p and q are 
prime, then (n) = (p — 1) (q— 1). These numbers appear in some public key 
algorithms; this is why. According to Euler’s generalization of Fermat's little 
theorem, when gcd (a, n) = 1, then 
ao) mod n= 1 
Now it is simple to calculate a`! mod n — 
x =a? -! mod n 
For example, what is the inverse of 5, modulo 7 ? Since 7 is prime, (7) 
=7-1=6. Hence, the inverse of 5, modulo 7, is 
56-! mod 7 = 55 mod 7 =3 
Both techniques for computing inverses can be extended to solve for x in 
the general problem (if gcd(a, n) = 1) — 
(a * x) modn=b 
Using Euler’s generalization to solve — 
x = (b * a? - 1) mod n 
Using Euclid’s algorithm to solve — 
x = (b * (a`! mod n)) mod n 
Normally, Euclid’s algorithm is faster as compared to Euler’s generalization 
for computing inverses, especially for numbers in the 500 bit range. If gcd(a, 


n) + 1, all is not lost. In this normal condition, (a * x) mod n= b, may have a 
lot of solutions or no solution. 


0.14. Define the Euler Phi-function. 


__ Ans. The Euler $-function, $(n), is defined to be the number of positive 
integers less than or equal to n which are relatively prime to n. 
Examples — Consider 


n = 10. We see that the only positive integers 
k < 10 such that gcd(k, 10) : 


= | are k = 1, 3, 7, 9. Thus we have (10) = 4. 
Consider n = 7. Then all positive integers strictly less than 7 are relatively 


Prime to 7, since 7 is a prime number. So $(n) = 7-1 = 6 


` 
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heathen example is o(1) = 1 because the only positive integer k S liş k | Unit-1 15 
= l ` 3 l | ` : Yes 
and gcd(1, l) . stet Qa CASA ; š j 0.15. Explain the Euler’s theorem. i 
atati licative function. ° 
proposition ‘i ee en ks Ic ion. This Means that it | Ans. For two positive integers n and m which are relatively prime we 
d(a, b) = ! then (a0) = pr i | sihat, 
e a can find a formula for computing $(n), given the prime factorizay havs mé(") = 1 (mod n) 
of n. We do this by first considering cases where n is a prime power, lon where 4(n) is the Euler $-function. 
Consider n = p for any prime p. | We en all positive integer, Examples — Let n = 10. We saw earlier than 0(10) = 4. Consider m = 3. 
k'< p satisfy gedik; p) = 1. There are p — + SACR S mus Wp)=p-. 1 * We have that ged(3, 10) = 1 and we can confirm that 34 = 81 = 1 (mod 10). 
Consider n = p! where p is any prime and j is any positive Integer, Let n = 7 and m = 2. Then $(7) = 7 — 1 = 6, and we have gcd(2, 7) = 1. 
The only integers which will have a common (non-trivial) factor With pi We can confirm that 26 = (23)? = (8)? = (1)* = 1 (mod 7). 
are multiples of p. The multiples of p less a sili i op "aei 2p, 3p It is interesting to point out that Euler’s theorem is a generalization of Fermat’s 
- , (pip = pÌ. So we see that there are pJ such multiples. We can then Little theorem, which states that for any prime p and integer a we have aP =a 
conclude that the number of positive integers less than or equal to pi Which (mod p). Restricting a to be not divisible by p then makes Fermat’s Little theorem 
ae i j i-1 TPE: ` equivalent to aP! = 1 (mod p) which is the same as Euler’s theorem in the case 
are relatively prime to p) will be Hp) =p? -p7 =p|1-7]. that n is a prime p. Also, for those readers familiar with groups we can see that 
ý Euler’s theorem is a specific case of the fact that in a finite group, the order of 
We can now conclude the following proposition — dú an element of that group divides the order of the group. 
Proposition (ii) — For a positive integer n where n= p] P3? .-...pk“ we have NUMERICAL PROBLEMS 
Ef -i 
E o(n) = n] f -+) .. Prob.1. Show that the set G = fa + bJ2 :-va,b e Q) isa group with 
= ” respect to addition. 
Proof. Since $(n) is multiplicative then we have Or 
$(n) = o(p;! ) $(p5? Jan opk ) < Show that the algebraic structure (fa +bV2:a,b eI J: +) forms a group. 
l 1 l , (R.GP.V., Dec. 2016) 
= Pi! [ Z +) P? Í x +) seen pk“ í -4) Sol. (i) Closure Property — Let x, y be any two elements of G. 
i Then, x=at+b/2 and y=ctdy2, where, x a, b, c, d EQ 
= Py Py aie i-i) means Ë Now, xty= (a+ bv2)+(c+dv2) = (a + c) + (b + d) V2 
PI/, P2 a Since (a + c) and (b + d) are the elements of Q 
-1-4-4 d 4) e, (a+c)+(b+d) V2 e G >= x+y e€ G, x x,y € G 
Pi P2 Pk G is closed with respect to addition. 
k 1 1 ; (ii) Associativity — The elements of G are all real numbers and the 
= I] ai addition of real numbers is associative. 
1= I 
An alternative way of representing this product is to write (0) 7 tee eaa of Identity — Let a + b-/2 €G, where va, beQ. 
1 ave, 
fı J : 
, i . = =a+ 
pa\ P where it is understood that this will mean to index the produ (a sñ bv2) +(0+0v2) (a+0)+(b+0)/2 =a+bv2 
over all prime divisors of n, oe 0+0-2 is the additive identity of a + bv2. 
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(iv) Existence of Inverse — Let I +b/2 €Gwhere, v a,be Q. n | 
we have, at b 2 EG aaron i È 
Since a, beEQ>-3- beQ 
Now, [Ca + b)v2] + @+bv2)=[Ca) + a] + +H, 
=0+0/2 = identity 
(-a)+(- b) V2 is the additive inverse of a + b./2 
Hence, G is a group with respect to addition. Proy 
i e 
Prob.2. Find the multiplicative inverse of 726 modulo 1549, Thus, we have ged(24140, 16762) = 34 Ans. 
Sol. Recall earlier we used the Euclidean algorithm to find that geq (1549 (ii) gcd (4655, 12075) 
726) = 1 by finding — l ] ly the Euclidean algorithm using a table. 
1549 = 726(2)+ 97 > 97 = 1549 —726(2) -gi We apply 
726 =97(7)+47 > 47 = 726 — 97(7) fi) 
97=47(2)+3 >  3=97-47(2) +. (ii) 
47=3(15)+2 > 2 = 47 — 3(15) Ai 
3=AN)+1 > 1=3-2(1) ` afi) 
Working backwards through these equations we obtain — 
| m] 1=B-2] m 
| =3- [47 - 3(15)] ...(ii) 
=- 47 + 3(16) 
eg ET + (ñij) Thus, we have gcd(4655, 12075) = 35 Ans. 
oe Prob.4. Explain Euclid [gorith d solve the followi i 
= ! .4. Explain Euclidean algorithm and solve the following usin 
= 97(16) — 33[726 — 97(7)] (iv) j £ 8 using 
— s) () Determine gcd (1970, 1066) 
= -726(33) + 247[1549 — 726(2)] (v) Gi) Determi s dati j o. iari 
= 726(-527) + 1549(247). tt) Determine gcd (. A ) 
Thus 726"! = _527 = 1022 (mod 1549) (R.GP.V. June 2012) 
; Sol. Euclidean Algorithm — Refer to Q.12. 
Prob.3. ; . i g er to Q. 
vob.3. Explain Euclidean algorithm. Solve the following using this G) gcd(1970, 1066) 


algorithm — 


© Determine &cd (24140, 16762) 
(ii) Determine gcd (4655, 12075) 


We apply Euclidean algorithm using a table — 


! . 2011) 
Sol. Euclidean Algorithm — Refer to Q.12 aa nail 


(i) ged(24] 40, 16762) 
We apply the Euclidean algorithm using a table 
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BJ s je o a y = 


Thus. gcd(1970, 1066) = 2 a 


(ii) Refer to Prob.3 (i). 


Prob.5. Find gcd(1549, 726) using the Euclidean algorithm, 


Sol. We find, 
1549 = 726(2) + 97 


726 = 97(7) + 47 
97 = 47(2) +3 
47 = 3(15) +2 
3=2(1) + 1. 
The next remainder we obtain will be zero, so gcd(1549, 726) = 1. 


INTRODUCTION TO CRYPTOGRAPHY — PRINCIPLES OF ` 

CRYPTOGRAPHY, CLASSICAL CRYPTOSYSTEM, ` ` 

_ CRYPTANALYSIS ON SUBSTITUTION CIPHER (FREQUENCY 

f ANALYSIS), PLAY FAIR CIPHER, BLOCK CIPHER ` a 
AS Dict SSR _ 

0.16. What do you understand by cryptography ? 

Ans. Cryptography is the art and science of achieving security by encoding 


messages to make them non-readable. Fig. 1.5 shows the conceptual view of 
cryptography. 


This is a Book on 
Network and 
Internet Security 


R#5 %^&”m, :p0- 
Z >] S89!@*%Sjhnl00 
-$557 


Readable M 
= Unreadable Message 


This process is 
Systematic and 
Well-structured 


Fig. 1.5 Cryptographic System 
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0.17. What are three basic operations in cryptography ? 
(R.GP.V., June 2011) 


Ans. Cryptographic systems are characterized along three independent 


dimensions — 

(i) The Type of Operations Used for Transforming Plaintext to 
All encryption algorithms are based on two general principles — 
which each element in the plaintext (bit, letter, group of bits or 
d into another element, and transposition, in which elements 
are rearranged. The fundamental requirement is that no 
ost (that is, that all operations are reversible). Most systems, 
duct systems, involve multiple stages of substitutions and 


Ciphertext — 
substitution, in 
letters) is mappe 
in the plaintext 
information be | 
referred to as pro 
transpositions. 
(ii) The Number of Keys Used — If both sender and receiver use 
the same key, the system is referred to as symmetric, single-key, secret-key, 
or conventional encryption. If the sender and receiver each uses a different 


key, the system is referred to as asymmetric, two-key, or public-key encryption. 


(iii) The Way in which the Plaintext is Processed — A block cipher 
processes the input one block of elements at a time, producing an output 
block for each intput block. A stream cipher processes the input elements 
continuously, producing output one element at a time, as it goes along. 


0.18. What is the difference between traditional cryptography and 
modern cryptography ? Explain the significance of work factor in 
cryptography. (R.GP.V., Dec. 2004) 


Ans: In the last few decades, traditional cryptographic algorithms, being 
mathematical in nature, have become so advanced that they can only be handled 
by computers. This, in effect, means that the uncoded message (prior to 
encryption) is binary in form and can therefore be anything a picture, a text 
such as an e-mail or even a video. 


As with most historical ciphers, the security of the message being sent 


relies on the algorithm itself remaining secret. This technique is known as a 
Restricted Algorithm. It has the following fundamental drawbacks. 


(i) The algorithm obviously has to be restricted to only those people 
that you want to be able to decode your message. Therefore, a new algorithm 
must be invented for every discrete group of users. 

. (ü) A large or changing group of users cannot utilise them, as every 
time one user leaves the group, everyone must change tke algorithm. 

(üi) If the algorithm is compromised in any way, a new algorithm 
must be implemented. 
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e of these drawbacks, restricted algorithms 


aus : 
Bec no longer popular and have given Way | 


cryptography) are 
algorithms. 
Practically, 


(trag; 


Ay 
o key ry | 


“bas, 
s q 
all modern cryptographic systems make usg ji | 
Algorithms that use a keyallow all details of ihe algorithm tobe Widely m 
This is because all of the security lies in the key, With a key-basca 
the plaintext is encrypted and decrypted by thc algorithm which us 
key, and the resulting ciphertext Is dependent on the key, and not th 
This means that an eavesdropper can have a complete copy of the 
use but without the specific key used to encrypt that message, it j 


lay 


+ 


Modem cryptography has become so complex and effective that 
is not only used for military but has many commercial uses and applica 

The real secrecy now is in the key, and its length is a major design ith 
Consider a simple combination lock. The general principle is that Yoki s 
digits in sequence. Everyone knows this but the key is secret. A key ae 


Now il 


two digits means that there are 100 possibilities. A key length of three digi 

means 1000 possibilities and a key length of six digits means a Million, ik 
longer the key, the higher the work factor the cryptanalyst has to deal with 
The work factor for breaking the system by exhaustive search of the key 
space is exponential in the key length. This is the significance of work factor 
in cryptography. Work factor provides an indication of processing complexity 
required for cryptanalysis. It is a measure of time needed to perform the 
attack. 


0.19. How many keys are required for two people to communicate via 

a cipher? (R.GP.V., June 2013) 
Or 

How many keys are required for two parties to communicate viaa 

cipher ? Why ? (R.GP.V., June 2017) 


Ans. The encryption and decryption algorithms are known as ciphers.A 
key is a set of values that the cipher, as an algorithm, operates on. In symmetric 
key cryptography, the secret key must be shared between two persons. l 


asymmetnic-key cryptography, the secret is personal, i.e. unshared. Each ont 
creates and keeps his or her own secret. 


ens In a community of m people m(m — 1)/2 shared secrets are required fo 
ymmetric-key cryptography, and m personal secrets are required W 


asymmetric-key cryptography. It means that for two people only one key 


required for symmetric-key cryptography and two keys are required in 


"o 
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0.20, Describe conventional encryption model. What are the requirements 

for secure use of conventional ee ? (R.GP.V., June 2009) 
r 

what do you understand by conventional encryption model ? Discuss 
in detail. (R.G P.V, Dec. 2005) 

Ans. Symmetric encryption is also referred to as conventional encryption 
or single-key encryption, It was the only type of encryption in use prior to the 
development of public-key encryption. It remains by far the most widely used 
of the two types of encryption. 

A symmetric encryption scheme has five ingredients as shown in fig. 1.6. 


Seeret Key Shared by 
Sender and Recipient 


Secret Key Shared by 
Sender and Recipient 


Transmitted 
Ciphertext 


Plaintext 
Output 


Decryption Algorithm 
(Reverse Encryption 
Algorithm) 


Fig. 1.6 Simplified Model of Conventional Encryption 


Encryption Algorithm 
(e.g., DES) 


Plaintext 
Input 


(i) Plaintext— This is the original intelligible message or data that 
is fed into the algorithm as input. 


(ii) Encryption Algorithm — The encryption algorithm performs 
various substitutions and transformations on the plaintext to convert it into 
ciphertext. 


(iii) Secret Key — The secret key is also input to the encryption algorithm. 
The key is a value independent of the plaintext. The algorithm will produce a 
different output depending on the specific key being used at the time. The exact 
substitutions and transformations performed by the algorithm depend on the key. 


(iv) Ciphertext — This is the scrambled message produced as output. 
It depends on the plaintext and the secret key. For a given message, two 
different keys will produce two different ciphertexts. The ciphertext is an 
apparently random stream of data and, as it stands, is unintelligible. 


f (v) Decryption Algorithm — This is essentially the encryption 
algorithm run in reverse. It takes the ciphertext and the secret key as the input 
and produces the original plaintext. 


ee identifying the origin of the information. When the source of information i 
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requirements for secure use of conventional ç; 


gencryption algorithm. Ata minimu 
y to be such that an opponent who knows the algorių 
c or more ciphertexts would t unable ne i hm x 
tthe key. Usually, this requirement is stated in a er 
onent should be unable to decrypt ciphertext oF qi Stro 
mile she is in possession of a number of ciphertexts to 
ay 


the plaintext that produced each ciphertext. | | 
(ii) Sender and receiver must have obtained copies of iis 
secure fashion and must keep the key secure. If someone a Scot 


knows the algorithm, all information using this key is readay® 
e, 


er 


There are two 


(i) We need a stron On. 


like the algorithn 
has access to 0N 
ciphertext or figure OU 


the 


= 
= 
= 


keyina 
the key and 


0.21. Exp 


Ans. The foll 
(i) Encryption — Encryption is one of the Important princi 
cryptography. This principle indicates that a message or Information 


encrypted to become unreadable so that the privacy of individuals is Protected 
This principle also shows that the recipient of information must decrypt the 


reccived information by using a special digital key. 


(ij) Authentication — One of the important principles of cryptography 


| 


Jain the basic principle of cryptography. 


owing are some important principles of cryptography 


ples of 
Must be 


I " ` š 
identified it is easy to communicate securely. Authentication is only possible 


by providing a special key exchange to be used accordingly by the sender to 
prove his/her identity. 9 


(iii) Integrity — Integrity of information sent to the receiver is very 
important. This principle indicates that cryptography ensures the integrity of 
data by providing codes and digital keys to ensure that what we receive is 
genuine and from the intended person. The receiver is assured that the 
information received has not been modified or compromised during the process 
of transmission. For example, a cryptographic hash is utilized to ensure the 
integrity of the information. 


I (iv) Non-Repudiation — This principle ensures that the sender of the 
information cannot deny the fact that he/she never sent the information. This 
principle uses digital signatures to prevent the sender from denying the origin 


of the data. 
Q.22. Explain some classical cryptosystem. 
Ans. Some classical cryptosystems are as follows — 


(i) Affine and Caesar Cryptosystem — In the affine cryptosystem 


AFFINE a message symbol i (a residue class modulo m represented in the 
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ive residue system) is encrypted in the following way — 


posit | | 
ey, (i) = (ai + b, mod M). 


Here a and b are integers and a has an inverse class Ç modulo M, in 
words gcd(a, M) = 1. The encrypting key k, is formed by the pair (a, b) 
V e decrypting key k, by the pair (c, b) (usually represented in the positive 
c system). The decrypting function is 
dk, (j) = (cQ — b), mod M). 
So the length of the message block is one. Hence affine encrypting is also 
suitable for stream encryption. When choosing a and b from the positive 


sidue system the number of possible values of a is $(M) and all in all there 
re 


re (M) M different encrypting keys. The number of encrypting keys is thus 
a 


quite small. Some values — 
(10) = 4, (26) = 12, (29) = 28, (40) = 16 

The special case where a = 1 is known as the Caesar cryptosystem 
CAESAR. A more general cryptosystem, where 

ek, (i) = (p(i), mod M) 
and p is a polynomial with integral coefficients, is not really much more useful 
as there are still very few keys. 
(ii) Hill Cryptosystem — In Hill’s cryptosystem HILL we use the 

same encoding of symbols as residue classes modulo M as in AFFINE. 
However, now the block is formed of d residue classes considered as a d- 


vector. Hill’s original d was 2. The encrypting key is a d x d matrix H that has 
an inverse matrix modulo M. This inverse matrix H-! = K modulo M is the 


decrypting key. 
A message block 


othe 
and th 
residu 


ç: i= (ip =- l4) 
is encrypted as 
en(i) = (iH, mod M) 
and decrypted similarly as 
elj) = (JK, mod M) 

Here we calculate modulo M in the positive residue system. 

There are as many encrypting keys as there are invertible d x d, matrices 
modulo M. This number is quite hard to compute. However, usually there is 
a relatively large number of keys if d is large. 


A special case of HILL is PERMUTATION or the so-called, permutation 
encryption. Here H is a permutation matrix, in other words, a matrix that has 
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ent equal to one in every row and in eve 

a en sees, Note that in this case H`! = HT, orth 
ai In permutation encrypting the symbols of the 
permutate d using the constant permutation given by H. 

oe general cryptosystem is AFFINE-HILL or the affi 

cryptosystem. Comparing with HILL, now the encrypting key k, 
b), where b is a fixed d-vector modulo M, and the decrypting 

. ir (K, b). In this case 


corresponding pa! 
ek, (i) = (iH + b, mod M) 


ry column al 
at H is an orth Othe 
message blog Onal 


. Ne Hi 
sa Pair N 


KY k is yy 


and ek, (j) = (G — b)K, mod M). 


From this we obtain a special case, the so-called Vigenere encrypti 
VIGENERE by choosing H = I,(d x d identity matrix). (This choice a a 
not suitable for HILL!) In Vigenere’s encryption we add in the Message blo 4 
symbol by symbol a keyword of length d modulo M. | 

Other generalizations of HILL are the so-called rotor Cryptosystems 
that are realized using mechanical and electro-mechanical devices. The mosl 
familiar example is the famous ENIGMA machine used by Germans in the 
Second World War. 


(iii) One-time-pad Cryptosystem — Message symbols are often 
encoded binary numbers of a certain maximum length, for example ASC] 
encoding or UNICODE encoding. Hence we may assume that the message ig 
a bit vector of length M. If the maximum length of the message is known in 
advance and encrypting is needed just once then we may choose a random bit 
vector b (or vector modulo 2) of length M as the key, the so-called one-time- 
pad, which we add to the message modulo 2 during the encryption. The 
encrypted message vector obtained as result is also random and a possible 
eavesdropper won’t get anything out of it without the key. During the decrypting 
we correspondingly add the same vector b to the encrypted message, since 
2b = 0 mod 2. In this way we get the so-called one-time-pad cryptosystem 
ONE-TIME-PAD. š 


0.23. What do you understand by plaintext ? 


Ans. The data that you want to keep secret is called plaintext (some call 
it clear text). Any communication in the language that we speak — that is the 
human language, takes the form of plaintext or clear text. That is, a message 
in plaintext can be understand by anybody knowing the language as long as 
the message is not codified in any manner. For example, when we speak 1" 
our daily life, we use plaintext because we do not want to hide anything 
Suppose I say “Hello Bob”, it is a plaintext because both Bob and I know iË 


” 
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+ We also use plaintext during electronic conversations. For example, 
sible danemail to someone, we compose the email message using English 
gen erson who reads this email would know that I have written. 
ae ak A simply because I am not using any codified language here. 
As DEIS o 


0.24 pifferentiate between private and public keys. 


me 
whe 


s. Public-key cryptography requires each user to have two keys; a 
pcre used by the entire world for encrypting messages to be sent to 
ublic-Keys 


p and a private-key, which the user needs for decrypting messages. 


that user, ' , 
25. What is substitution cipher or technique ? Discuss briefly the 


various substitution cipher. 
Ans. A substitution cipher or technique is one in which the letters of 


laintext are replaced by other letters or by numbers or symbols. If the plaintext 
4 viewed as a sequence of bits, then substitution invovles replacing plaintext 
i 


bit patterns with ciphertext bit patterns. 
(i) Caesar Cipher — The earliest known use of a substitution cipher, 


and the simplest, was by Julius Caesar. The Caesar cipher involves replacing 
each letter of the alphabet with the letter standing three places further down 


the alphabet. For example 


plain : meet me after the toga party 


cipher : PHHW PH DIWHU WKH WRJD SDUWB 


Note that the alphabet is wrapped around, so that the letter following Z is 
A. We can define the transformation by listing all possibilities, as follows — 


plain:abcdefghijkIimnopqrstuvwxyz 
cipher: DEFGHIJKLMNOPQRSTUVWXYZABC 


Let us assign a numerical equivalent to each letter — 


Cephe E e en 
13 [14 [a5 [a6 [a7 [as [19 [20 [ar [aa [as [2a [a5 


Then the algorithm can be expressed as follows. For each plaintext letter 
P, Substitute the ciphertext letter C. 


um. ya CREO) = (p + 3) mod (26) 
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; tth 
A shift may be of any amount, S° that the general Caesar algorit 


C = E(p) = (p + k) mod (26) 


erek takes ona value in the range 1 to 25. The decryption algorithm te 
p = D(C) = (C - k) mod (26) Simpy, 


habetic Ciphers — If, instead, the “cipher” lir 
26 alphabetic characters, then there are 26} 


hm is 


wh 


(ii) Monoalp 


, permutation of the ae i 
perpen possible keys. This is 10 orders of magnitude greater tha, I 


“asan ij DES and would seem to eliminate brute-force techniques Ñ 
cryptanalysis. Such an approach is referred to asa monoalphabeti € substitan [ 
cipher, because a single cipher alphabet (mapping from plain alphabetto Ya 
alphabet) is used per message. š 
(iii) Playfair Cipher — The best-known multiple-letter encryptio 
s the Playfair, which treats diagrams in n 
units and translates these 


e can l 
or reale, 


cipher i Y 
the plaintext as single 


its into ciphertext diagrams. EJES 
T algorithm is based on the use of Ele pate 


keyword. Here i 
Wimsey in Dorothy Sayers’s Have His Carcase. 


In this case, the keyword is monarchy. The matrix is constructed by 
filling in the letters of the keyword (minus duplicates) from left to right and 
from top to bottom, and then filling in the remainder of the matrix with the 
remaining letters in alphabetic order. The letters I and J count as one letter, 
Plaintext is encrypted two letters at a time, according to the following rules - 

(a) Repeating plaintext letters that would fall in the same pair are 
separated with a filler letter, such as x, so that balloon would be treated as ba 


Ix lo on. 

(b) Plaintext letters that fall in the same row of the matrix are 
each replaced by the letter to the right, with the first element of the row 
circularly following the last. For example, ar is encrypted as RM. 

(c) Plaintext letters that fall in the same column are each replaced 
by the letter beneath, with the top element of the row circularly following the 
last. For example, mu is encrypted as CM. 
= < (d) Otherwise, each plaintext letter is replaced by the letter that 
lies in its own row and the column occupied by the other plaintext letter. Thus, 
hs becomes BP and ea becomes IM (or JM, as the encipherer wishes). 


š (iv) Hill Cipher ~ Another interesting multiletter cipher is the Hil 
cipher, developed by the mathematician Lester Hill in 1929. The encrypt 


da 
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ve plaintext letters and substitutes for them m 


; kes m successi ; ; EST š; 

algorithm ee The substitution is determined by m linear equations in which 

ere acter is assigned a numerical value (a = 0, b = 1,..., Z = 25). For 
each char described as follows — 


be 
= 3, the system can 
i c = (ki ipi + k,2p2 + ky3P3) mod 26 


c> = (ky Py + kyP2 ag k,3P3) mod 26 
çs = (k; Pi + ks;p2 + k,3P3) mod 26 
ectors and matrices — 


s can be expressed in term of column v 


Thi 
cy ki kj K3 \( Pa 
c2|=|kz2 k2 kas || P2 mod 26 
c3 k3, k32 K33/\P3 
C =KP mod 26 


or 
where C and P are c 
ciphertext, and K isa 
are performed mod 26. 

For example, consider the plaintext “paymoremoney”, 


olumn vectors of length 3, representing the plaintext and 
3 x 3 matrix, representing the encryption key. Operations 


and use the 


encryption key 
17 17 5 
K=|2]1 18 21 
2 2 19 


The first three letters of the plaintext are represented by the vector (15 0 
24). Then K(15 0 24)=(375 819 486) mod 26 =(11 13 18)=LNS. Continuing 
in this fashion, the ciphertext for the entire plaintext is LNSHDLEWMTRW. 

Decryption requires using the inverse of the matrix K. The inverse K! 
of a matrix K is defined by the equation KK~! = K-!K = I, where I is the 
matrix that is all zeros except for ones along the main diagonal from upper left 
to lower right. The inverse of a matrix does not always exist, but when it 
does, it satisfies the preceding equation. In this case, the inverse is 


T 4 9 15) 
K!=|15 17 6 
| 24 0 17 
This is demonstrated as follows — 
17 17 5\(4 9 15 443 442 442 1 0 0 
21 18 211/15 17 6]=|858 495 780|moa26=|o 1 0 
2. 2 .19)(24:: 0.17 494 52 365 .5 40 0-1 
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34 Cryplograpay N HOU ete ees 


1 to 26, 


A A HA 


MISIA S ISK S12 1019 2015 221 912 49 


Now as per the given formula, 
desired result. 
First of all take mo => 13, 15 


9 4)\(mel3 ë 177 21 
— 26 = 12 
C Ë Mrs)" ) fe mod 26 = "i 


es back to the alphabets to get the cipherte 
bl | 


Converting these valu 
21=u, Wen, 
Thus, mo becomes un, Simi 


Now taking ne 
| 9 
C = 
5 


Again taking yh 


Again taking el 
c= 9 4 
S- 7 
_ 93 
109 
Again taking ps 


Now, converting the given characters to numeric values 


Ii NAR Hy 


146 IRI 1920 1821 agg I 
l 
ptoceeding with cach pair Wo p 


ilarly, processed for other pairs, 


TAS 
146 16 
= 26= = 
Ps) mod 26 f J | 


Again taking to 


Again taking bu 


Again taking il 


Again taking di 


Again taking nf 


' 
. 


Again taking ra 


( 

. foes mod 26 

5 7JLU5 

ati mod 26 = 6 = f 
205 23 w 


| 
| 

ef Ge 
| 


-(2)s=a8- 9-0) 


Unit-1 35 
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36 Cryptography & Information Security 
Unit-1 37 


9 4) /19 | , 
Ca | s N [ ice 26 prob.7. Encrypt th 


: s) Show your calculation. 
key 


Again taking st 
e message “C. ryptography” using the Hill cipher with 


(R.GP.V., June 2016) 


25 | 
= (css) a6-('7}=(") 57 
233 l a | sol. According to Hill cipher 
Again taking ru | C = KP mod 26 1 
9 4)/18 | ‘+o the given text we get, 
= By grouping the & 
e-f; 7) (zi Jma 2s | ay y p t @ g É 6-9 h y" 
| s 18 25 16 2015 7 18 1 16 8 25 
f 


rmula, proceeding with each pair we get the 


246 2 
i P Jue 26-(' J-l) | Now as per the given fo 
A : š i desired result. 


Again taking ct First of all take “Cr” = 3, 18 
C= A al: ° jg) mod26 


9x34+4x18 = ade 
5x3+7x18 


(oes) arc 


Again taking ur 
5 avi 15+126 
C= ls -aini 
11 
261 1 a š ' ; 
= mod 26 = = TE Converting these values back to the alphabets to get the ciphertext, we 
231 23 2a] = 
i get 21 =u, 11 =k. 
Again taking ex ERE Thus, “cr” becomes “uk”. Similarly, processed for other pairs. Taking “yp”, 
9 4)í 5 : 
c-( J| } mod 2 y=! 
= mod 26 
5 7)\24 -Cis 7] p=16 
141 11 k 9x 25+4x16 
= mod 26 = = 
fa [ i (o = ja 25+7x iel 08 20 
Now arranging the derived ciphertext as per the given plaintext. 225+64 
“Money helps to build infrastructur ex”. ~ |125+112 = 
unpaw yoele fw xayyt ethjsqalccyawkk 289 
: Š = mod 26 
_ removing the extra letter x in the plaintext and corresponding derived 237 ° 
ciphertext k we get the encrypted message as follows — 3 
“unpaw yoele fw xayyt ethjsqalecyawk”,» sass ess I . H 
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| 


38 Cryptography & Information ani | Unit-1 39 


to the alphabets to get the ciphert 
Converting these values back to ú XL, We | k: mod 26 
= = C. P i 
get A c, A becomes “cc”. Similarly, processed for other pairs. Taking “tor Di 
us, 1 _ 
= | A 2 [moa 26 z Kl 
SME T= I Converting these values back to the alphabets to get the ciphertext, we 
9x20+4x15 i t21 = u, 13 = m. 
= |; x20+7x15 t ' j Thus, “ap” becomes “um”. Similarly, processed for other pairs. Taking “hy”, 
9 4|| n=8 
= |100+105 - 
240 n mod 26 
= | Je 26 215 
~ |205 


16 
j F 
Ja Converting these values back to the alphabets to get the ciphertext, we 
Converting these values back to the alphabets to get the ciphertext, we get 16 = A gee 


get 6= f, 23 = w. Thus, “hy” becomes “pe”. 


Thus, “to” becomes “fw”. Similarly, processed for other pairs. Taking “g, The derived ciphertext as per the given plaintext is “ukccfweeumpg”. 


9 4||g=7 f f 
C= Ë | Ë =| mod 26 wit Prob.8 Encrypt “meet me” using Hill cipher with key l: $). Also 
9x7+4x18 “hats decrypt the same. ' (R.GPV., June 2010) 
= | x7+7 | aka °" 5 . Sol. According to Hill Ae A 
| C = KP mod 26 
135 nodze a ars By grouping the given text we get, 
~ {161 me et me 
5 . E Now converting the given characters to numeric values on a scale of 1 to 26. 
| Pe 09 |, 
Converting these values back to the alphabets to get the i we ays 5 20 3 5 
get5=e,5 =e. . Now as per as D. formula, proceeding with each pair we get the 
Thus, “gr” becomes “ee”. Similarly, pogi for other pairs. Taking ‘ap’, | desired result. 
Ë sles «ie First of all take me => 13, 5 
C= mod 26 
5 7 a At 9, 4)\(m=13 
; ä C Ë 7} e=5 | mod 26 
x1+4x il 
=lesre mod 26 _ (137 (1 
ja i : (i) mod 26 = (2) 
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formation Security | 
alues back to the alphabets to get the ciphertext s j 


7 = g; 22 = V We ay | | 
Similarly, processed for other pairs, 


go cryptography Š In 
Converting these V 


Thus, me becomes gv. 
9 4 
C= (3 sli 2. mod 26 


(a GC 


Taking et, 


Taking me, 


The derived ciphertext as per the given plaintext is “gvui gv”. 
Prob.9. Encrypt the message “meet at the airport” using the Hill cipher 


4 
1 Show your calculation and the result. 


9 
vith the key 
with the key Ë 

(R.GP.V., May 2019) 


Sol. According to Hill cipher 
C=KP mod 26 
Now, converting the given characters to numeric values on a i sal of 
1 to 26. 


KAA A KAKA 


13 5 5 20 1 2020 5 1 9 18 16 15 18 20 
Now as per the given rth proceeding with each pair we get the 


desired result. 
First of all take me => 13, 5 
m=13 
mod 26 
2 x13+4x5 


9 
C=]s 
= (5x13+7x5 


117+20)_(137 
=| 65495.) oos 


(a) 


"9 mod 26 


Unit-1 41 


se values back to the alphabets to get the ciphertext, we get 


7=2,22 =v 
mes gv. Similarly, processed for other pairs. 


C= Za J mod 26 
5 7J 20 


Converting the 


Thus, me beco 
Now taking et 


9x5+4x20)_ 45+80 
mod 26 
5x5+7x20 ~ (254140 
2 
= a mod 26 = ; = : 
165 9 i 
Again taking at 
š c= AE adas 
5 7)\20 
80 
9x1+4x20) og — 9+80 \ 426 
5x1+7x20 5+140 
11 k 
= p3 mod 26 = =|.| 
, 145 15) \° 
_ Again taking th 
7 4)( 20 
C= 4 mod 26 
. 5 7)\8 
. 20+4x8 180+32 
ty S mod 26 = + mod 26 
5x20+7x8 100+56 
212 4 d 
; = mod 26 = = 
| o T ase) -= 0] Vz 
Again taking ea _ ‘ 
a |e d 26 
=! mo 
C=|[s 7JUr 
9x5+4x1 45+4 
xt) mod 26 =|... |mod 26 
5x5+7xl 25+7 
49 2 
= mod 26 = ae a 
32 6 f 


sil 
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9 
c= ae mod 26 
5 7)\18 
9x9+4x18 mod 26 = 81+72 
5x9+7x18 45 +126 | od 26 


fe )sea28=[ (e) 


42 Cryptography 
Again taking ir 


Again taking po 
9 
mod 26 
=Í 65) 
9x16+4x15 mod 2 1444+ 60 
x16+7x15 = (804105 J 094 26 
Again taking rt 


C= 


fee 


9x18+4x20 162+80 
mod 26 = mod 26 
90+140 


“| 
fG 
-( 


§x18+7x20 


242 
= mod 26 = e. I 
230 22) \v 
The derived ciphertext as per the given plaintext is “gvui ko dzw fwovchv”. 


Prob.10. Write a program that can encrypt and decrypt using gener al 
Caesar cipher also known as additive cipher. (R.GP.V., June 2013) 
Sol. This program translates a line of text into its Caesar cipher form - 
import acm.program.*; 
public class CaesarCipher extends ConsoleProgram í 
public void run( ) í 
pantin("This program uses a Caesar cipher for encryption."); 
int key = readInt("Enter encryption key:"); 
String plaintext = readLine("Plaintext:"); 
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String ciphertext = encryptCaesar(plaintext, key); 
printin("Ciphertext:" + ciphertext); 


} 


/* 
* Encrypts a string by adding the value of key to each character. 


* The first line makes sure that key is always positive by converting 


* negative keys to the equivalent positive shift. 


*/ 
private String encryptCaesar(String str, int key) { 
if(key < 0){ 
key = 26 — (-key%26); 
} 
String result = " ' 
for(int i = 0; i < str.length( ); i++) 


{ 
char ch = encryptCharacter(str.charAt(i), key); 
result + = ch; 

} 

return result; 

} 


© /* Encrypts a single character using the key given. This method 


* assumes the key is non-negative. Non-letter characters are 
* returned unchanged. 
*/ 


‘private char encryptCharacter(char ch, int key) 


i 


if(Character.isLetter(ch)) 
{ 
ch = (char) ('A' + (Character.toUpperCase(ch) 
—'A'+ key)% 26); 
} 


return ch; 


e859 CamScanner 


44 Cryptography & Information Security i Unit-1 45 


lig Rini 
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“S 


NOOSA, 
N STANDARD (DES), TRIPLE DES, MODpe ` 
PETS ENCRYPT OPERATION, STREAM CIPHER E 


0,35. With the help of a block diagram explain DES encryption Í 


¿tiq (RGR, June 2006, 2015, z 
i Or Br “W 
Explain the data encryption standard, (R.G PV, June 2005, Dev, 205) | £ K7722) 
Or j s 
Write short note on DES. hGH, Dec, 2007) i | 
Or I 
Explain DES algorithm with the help of diagrams. (.GP.V, June 202) | 


` 


Ans. Dzt2 Encryption Standard (DES), is the name of the Feder | 


—ə—ə—. 
information hailed Standard (FIPS) 46-3, which describes the Day, | | er tranny | | | | | | | | | | | | | | | | | 


Ereryztiem Algcrithen (DEA) created by IBM, DES came about due toa regus a 32 was 
Encryptor Alger tint s ) ues F W 
by the US National Borezu of Sundards (NSB) requesting proposals fora | 64-bit Ciphertest 4 i 


standard cryptographic algorithm that satisfied the following criteria — 


(i) Provides 2 high level of security. 


| 

I 

| 

| (a) General Outline (b) Detail of One Iteration 

Fig. 1.8 Data Encryption Standard (DES) 

(iy The security depends on keys, not the secrecy of the algorithm, | The operation of one of these intermediate stages is illustrated in fig. 1.% 

(iy The security is capable of being evaluated. | (b), Each stage takes two 32-bit wre and produces two 32-bit outputs. The 

in Te dka ae eee ¿ed and to unde | ief output is simply a copy of the rig t input. The right ouput is the bitwise 
vile n . ie u á sasa Sa ENS | XOF. of the left input and a function of the right input and the key for this 

(v) k is efficient to use and adaptable. | stage K; All the complexity is due to this function. 

(vi) Mast be available to all users. | This function constitutes four steps, carried out in sequence. First, a 43-bit 
i number, E, is constructed by expanding the 32-bit R; _ , according to a fixed 
| transposition and duplication rule. Second, E and K; are KORed together. Then 
| this output is partitioned into eight groups of 6 bits each, each of which is fed 
| into a different S-box. Each of the 64 possible inputs to an S-box is mapped 
| onto a 4-bit output. Finally, these 8 4 bits are passed through a P-box. 


A different key is used in each of the 16 iterations. The algorithm starts 
The general outline of DES is given in fig. 1.8 (a). Plaintext is encrypted after a 56-bit transposition is applied to the key. Just before each iteration, the 


{vii} Mast be exportable. 

DEA. is zz; mmprovement of the ‘Algorithm Lucifer’ (IBM, 1970). DES is | 
the best known and most widely used symmetric algorithm in the world. It 
was adopted in 1977 2s 2 standard by US Government for all cornmercial and 
onclzssified information. It is no longer secure in its original form, but in z 


ES 


modified form i is still useful. The DES works zs follows — 


in blocks of 64 bits, giving 64 bits of ciphertext. The algorithm has 19 distinct key is partitioned into two 28-bit units, each of which is rotated left by a 
stages. It is parameterized by a 56-bit key. The first stage is a key-independent number of bits dependent on the iteration number. K; is derived form this 
transposition on the 64-bit plaintext. The exact inverse of this transposition is rotated key by applying yet another 56-bit transposition to it. A different 48-bit 
the last stage. The second last stage exchanges the leftmost 32 bits with the subset of the 56 bits is extracted and permuted on each round. 

rightmost 32 bits. The rest of 16 stages are functionally identical but af A technique that is sometimes used to make DES stronger is called 
parameterized by different functions of the key. The algorithm has been designed whitening. It consists of XORing a random 64-bit key with each plaintext block 
to allow decryption to be done with the same key as encryption. Thus its 2 before feeding it into DES and then XORing a second 64-bit key with the resulting 


symmetric-key algorithm. The steps are just run in the reverse order. ciphertext before transmitting it. Whitening can easily be removed by running 
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the reverse operations (if the receiver has the two whitening keys), Since p.: 
technique effectively adds more bits to the key length, it makes exhaust 
search of the key space much more time consuming, It is noted that the 5 ik 
whitening key is used for each block (i.e., there is only one Whitening k a 


0.36. What is the most popular symmetric encryption system used oy 
the Web ? (R.GP.V, June 20 iy 

Ans. The most popular symmetric encryption used over the Web is th 
data encryption standard (DES). Š 

DES —- Refer to Q.35. 

0.37. During encrypting a message using DES in ciphertext block 
chaining mode, one bit of ciphertext in block C; is accidentally transformeq 
from a0 to a 1 during transmission. How much plaintext will be grableq as 
a result ? (R.GRYV., Dec. 2006) 

Ans. In ciphertext block chaining (CBC) mode, a single bit error jn 
ciphertext block C; during transmission may create error in most bits in plaintext 
block P; during decryption. However, this single error toggles only one bit in 
plaintext P;,, (the bit in the same location). Plaintext blocks P;+ to Py are not 
affected by this single bit error. A single bit error in ciphertext is self-recovered, 


0.38. While DES keys are 64 bits long, but its effective key length is 
only 56 bits, why ? ' 7 

Ans. DES uses keys that are 64 bits long, but because eight of those bits 
are only parity bits and used to ensure that the key itself does not contain 
undiscovered errors, the effective length of the key is only 56 bits. While DES 
is fast, it has been broken using commercial grade computers in a reasonable, 
period of time that can be as short as three days. As computing power increased, 
it became clear that DES was less secure than it once was. To respond to this 
vulnerability, a new encryption algorithm known as Triple DES was developed. 


0.39. Write short note on strength of DES. (R.GPV., May 2018) 

Ans. As we know that DES has been adopted as a federal standard, there 
have been lingering concerns about the level of security provided by DES. 
These concerns, by and large, fall into two areas — key size and the nature of 
the algorithm. 

The Use of 56-Bit Keys — With a key length of 56-bits, there are 256 
possible keys. Thus, brute-force attack appears impractical. However the 
assumption of one encryption per microsecond is overly conservative. As far 
back as 1977, Diffie and Hellman postulated that the technology existed to 
build a parallel machine with 1 million encryption devices, each of which 
could perform one encryption per us.This would bring the average search 
time to 10 hours. But is expensive. 


Š 
ç 


yo 


| 
| 
| 
| 


Unit-1 47 


ally proved insecure in July 1998, when the Electronic Frontier 
pES fin: cd that it has broken a DES encryption using a special 


ption anoun, achine th built for less t! 
poun DES Cracker machine that was or less than $250,000. The 


purpose ok less than 3 days. 
attack 10 j tant to note that there is more to a key-search attack than 
It is sel naenen all possible keys. Unless known plaintext is provided, 
simply ae be able to recognize plaintext as plaintext. If the message is 
the anal: st ee English then the result pops out easily, although English 
a n have to be automated. If the text message has been 
: fore encryption, then recognition is more difficult. If the 
has been compressed then the problem becomes even 
umere It to automate. Thus, to supplement the brute-force attack some 
more difficu edge about the expected plaintext is needed. 
there are a number of alternatives to DES, the most important 
riple DES. 


e of DE i 
papei is possible by exploiting the characteristics of the DES algorithm. 
cryP 


The focus of concern has been on the eight substitution tables or S-boxes, 
that are used in each iteration. Because the design criteria for these boxes and 
indeed for entire algorithm, were not made public, there is a suspicion that the 
boxes were constructed in such a way that cryptanalysis is possible for an 
opponent who knows the weaknesses in the S-boxes. This assertion is 
tantalizing and over the years a number of regularities and unexpected behaviors 
of the S-boxes have been discovered. Despite this no one has so far succeeded 
in discovering the supposed fatal weaknesses in the S-boxes. 


Timing Attacks — A timing attack is one in which information about the 
key or the plaintext is obtained by observing how long it takes a given 
implementation to perform decryptions on various ciphertexts. A timing attack 
exploits the fact that an encryption or decryption algorithm often takes sightly 
different amounts of time on different inputs. This is a long way from knowing 
the actual key, but it is an intriguing first step. The authors conclude that DES 
appears to be fairly resistant to a successful timing attack but suggest some 
avenues to explore. Although this is an interesting line of attack, it so far 
appears unlikely that this technique will ever be successful against DES or 
more powerful symmetric ciphers such as AES and triple DES. 


Q.40. Why is the middle portion of 3DES a decryption rather than an 
encryption ? (R.GPV. June 2017) 


Ans. For use in financial applications, 3DES was first standardized in ANSI 
Standard X9.17 in 1985. 3DES was incorporated as part of the data encryption 
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standard in 1999, with the publication of FIPS PUB 46-3. 3DES uses 3 i 
3DES uses three executions of the DES algorithm. An encrypt-decrypt-e 
sequence (see fig. 1.9) is followed by the function, is given below — 
C = E(K,, D(K,, E(K,, P))) 
C = Ciphertext 
P = Plaintext 
E[K, X] = Encryption of X using key K 
D[K, Y] = Decryption of Y using key K. 
K2 K| 


K3 
A 
b+ 


Fig. 1.9 Encryption 
Decryption is easily the same operation with the keys reversed as shown 
in fig. 1.10. 
P = D(K,, E(K,, D(K;, ©))) 
KI K2 K3 


A B 
Maa Tes tap 


Fig. 1.10 Decryption 
There is no cryptographic significance to the use of decryption for the 
second stage of 3DES encryption. Its only profit is that, it permits users of 
3DES to decrypt data encrypted by users of the older single DES. 
C = E(K,, D(K,, E(K,, P))) = E[K, P] 
3DES hasan effective key length of 168 bits with three different keys. FIPS 
46-3 also permits for the use of two keys, with K, = K,, this gives for a key length 
of 112 bits. FIPS 46-3 has the guidelines for 3DES, which are given below — 
(i) 3DES is the FIPS approved symmetric encryption algorithm of 
selection. 
(ii) The original DES which uses a single 56-bit key, is allowed under 


the standard for legacy systems only. 3DES should be supported by new 
procurements. 


eys, 


nerypt 


where, 


(iii) With legacy DES systems, government organizations are 
encouraged to transition to 3DES. 


(iv) It is anticipated that 3DES and the advanced encryption standard 


se coexist like FIPS-approved algorithms, permitting for a gradual transition 
to AES. 
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e that 3DES isa formidable algorithm. Since the underlying 
a algorithm is DEA, 3DES may claim the same resistance to 
c a° Igorithm as is claimed for DEA. Again, brute force 


; {on thea 
analysis or ively not possible with a 168-bit key length. 


efi . . 
attacks are ed to replace 3DES, but this process will take a several 


ic intend ; : 
AES W by NIST that 3DES will remain an approved algorithm 

anticipa 
p eeable future. 


iin function of single round performed in each round of 
0.41. Explain fi (R.GP.V, Dec. 2011) 


DBS he internal structure of a single round is shown in fig. 1.11. The 
aie nies ofeach 64-bit intermediate value are considered as separate 

leftand n cee labeled L(left) and R(right). The overall processing at each 
ae ae by the following formulas — 

L,=R,-! 

R, = L,- 1 ® FR -p K) 
e R input is 32 bits. The round key K; is 48 bits. This R input is first 
48 bits by using a table that defines a permutation plus an expansion 
duplication of 16 of the R bits (table 1.2). The resulting 48 bits are 
48-bit output passes through a substitution function and 
t. This 32-bit output is permuted as defined by table 1.3. 


„simple to se 


4 


ears: 
at the fores 


round is 


Th 
expanded to 
that involves 
XORed with Kj. This 
providing a 32-bit outpu 


— 32 bits —— — 32 bits — 


K;(48 bits) 


Fig. 1.11 DES Function 
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laa alia Table 1.3 P t 
I À able 1.3 Permutati š 
Table 1.2 Expansion Permutation (E) 'on Function p 


3 04]05] [16 7 20 21 29-4 
0 01 15 23 2 5 i 28 
02 8 24 
19 13 30 


Fig. 1.12 shows the role of the S-boxes. The substitution uses 8 
each with a 6-bit input and a 4-bit output. These transformations ar 
in table 1.4, which is interpreted as follows. The combination of bi 
of the input to box S, forms a 2 bit binary number to select one of 
substitutions defined by the four rows in the table for S;. The combinati 
bits 2 through 5 selects one of the sixteen columns. The decimal v alue in t 
cell selected by the row and column is then converted to its 4-bit representation 
to produce the output. 


S-boxe 
defined 
ts 1 and ¢ 


four 
On of 


48-bit Input 


ajajajaja 


32-bit Output 
Fig. 1.12 
Table 1.4 Definition of DES S-Boxes 


2 3 4 5 6 7 8 91011 12 133 1415 
8 310 612 5 9-0 7 
14 2 13 1 10 6 12 11 9 5 3 8 
Bb 6 2 11 15 12 9 7 310 5 0 
7 5 WW 


3 14 10 0 ` 6 33 


1 5 14 12 1l > 
2 12 5 10 14 
5 212 
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3 14 3 0 6 910 I 2 8 51112 415 
s A 6 61 OS 4 739 1 

. 9 012 1-7 1315 113 

5 0 610 113 8 9 4 5 


72 4 1 7101 6 8 5 31513 014 9 
411 212 4 713 1 5 01510 3 9 8 6 
ssal 4 2 1 1 1013 7 815 912 5 6 3 014 
| 812.7.114 2.113.615 0 9 10..4.5, 3 


2 11015 9 2 6 8 013 3 414 7 511 
1 15 4 2 712 9 5 6 11314 011 3 8 
S|. o 14 15 5 2 8 12 3 7 0 410 1131 6 
4 3 212 9 5 15 10 1 14 1 
All 21415 0 813 312 9 7 51 6 1 
3 01 7 4 9 110 14 3 51 
Sol 1 4 11 13:12 3 7 14 10 15 6 8 
61113 8 1 410 7 9 5 015 
2 8 4 61511 110 9 314 5 01 7 
Š 513 810 3 7 412 5 61 014 9 2 
8 1 4 1 912 14 2 0 610 1315 3 5 8 
1 14.7 410 8131512 9 0 3 


0.42. What is the purpose of the S-boxes in DES ? (R.GP.V., June 2016) 
Ans. Refer to Q.41. 


0.43. Which parameters and design choices determine the actual 
algorithm ofa Feistel cipher ? What is the purpose of the S-boxes in DES ? 
= (R.GP.V., June 2013) 


Ans. The choice of the following parameters and design features determines 
the exact realization of Fiestel cipher — 


(i) f Block Size — If the block size is large, then the high security is 
This also reduces encryption/decryption speed. 

__ fii) Key Size — 
Tequired. The key size of 
come a Common size. 


required, 


If the key size is large, then the high security is 
64 bits or less is now absolete, and 128 bits has 
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(iii) Number of Rounds — A single round provides inad 
e 


ie kar _anitinje rounds provide increasing s “i i u 
security but that multiple rounds p š curity. A typical is 
16 rounds. 1 


Gr) Sghkar Generation Algorithm — ln this algorith 


iff m. 
complexity Should lead to grezter difficulty of enptanalysis. reata 


fr) Round Function — Again. £ 


ter complexity in thi 
: shsis - S aleon, 
means greztzr resistance 1) crypizn2:ysis- 


Purpose of the S-bores in DES — Refer to Q.41. 


ast. Whet is the purpose of the S-haxes in DES ? Explain the 
efen {(R-GPV May 2 ory 
Ans. Purpose of the S-boxes in DES — Refer to Q.41. 


Avalanche Effect — A mathematical function which takes a en 
grange of am length (pre-szzoz) and backs 2 smaller fixed-length string (as 
azine) š known 2s ooe-xzy besh fmction. These fimetions are developed a 
suci z wey zz mat only zs Z compiles to deduce the message from í 
vera zs Well zs Éa even provided thet zll hashes are a certain length it is 
ver GZSizz 12 seack two messages which hash to the same value. In fact to 
¿=m Teo mesage wih he same hash from 2 128-52 hash function 
> omies would keve to be tried Is other words, the hash value of 2 file is, 
mal emigue “fegerprat’. Even 2 slight change in 2n input string must cans 
Iy. Even when one bit is flipped in the inpy 
ering, tes zt ices half of the bees will fEp 2s 2 result in the hash value. This 
fies š imown os cvdlaxhe effect. 


OAS. Explain the avalanche effect. 
Zm kar tz, OS. 


QAS. What are the hock cipher modes of operation ? Explain each in 
shon (F.G PV, Dec, 2006) 


(#.GP,V, Sune 2016) 


Or 
What ore the block cipher modes of operation ? 
(F.G PV, June 2006, Dec. 2004) 
An Tke CES zlate, in a haie building block for providing é 
sooty Se apy DS a varuna zpplicztiema tier “nutes of operation” have 
bron: Celah. T beye Scant rader ate intended to cries virtually all the psihe 
27 xa], e crerygtian; tt wick DES old be wed. ha nen applica 
Z rogues tere sog, MNS han introbuced a new mine, Thee 
fire radun tte rz ton we wits ay sjam blia cipher, including 
ttighe DEA ant KES. ANS these redes ate surmnasiid in table 1.5, 


Uni-t Oo 


* Secure transmission of 
single values (e.g., an 
encryption key) 

* General-purpose block- 
oriented transmission. 

* Authentication. 


bits is encoded independently 
using the same key. 

The input to the encryption 
aleorithm is the XOR of the 
next 64 bits of plaintext and 
the preceding 64 bits of 
ciphertext. 

Input is processed J bits at a |» General-purpose stream 
time. Preceding ciphertext is | oriented transmission. 
used as input to the encryp- |° Authentication. 
tion algorithm to produce 
pseudorandom output, which 
is XORed with plaintext to 
produce next unit of cipher- 


* Stream-oriented trans- 
input to the encryption algori-|mission over noisy 


thm is the preceding DES channel (e.g, satellite 
output. communication). 

Each block of plaintext is |* General-purpose block 
XORed with an encrypted | oriented transmission. 
counter. The counter is * Useful for high-speed 


incremented for each subse-| requirements. 


quent block. 


047. What is an initialization vector (IV) ? What is its significance ? 
(R.GP.V, June 2014) 

Ans, An initialization vector is usually a random b-bit string, where b is 

fe blocksize. Ithas no special meaning The IV is used to make each message 
gue, The likelihood of IV repeating in two different message is quite rare 
berane ít is randomly generated. As a result, IV helps in making the cipher 
rip “oss unique or at least quite different from all the other cipher texts 
it va message, Iis not mandatory to keep IV secret, it can be known 
; kide. Shis mems slightly concerning and confusing. However, if we 
ein operation of CRC, we will realize that IV is simply one of the two 
w first encryption step. The output of step 1 is cipher text block J, 


Which í 
1 alto one of the two inputs to the second encryption step. In other 
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words, cipher text block 1 is also an IV ai A a Cipher te i 
2 is also an IV for step 3 and so on. Since a fe witty ia blocks wih 
sent to the receiver, we are actually anyway ce ae l i 7 Step 2 | wang’ 
Thus, there is no special reason why the IV for step 1 should be Kept gon. 


5 ` » š Porgy 
0.48. Compare cipher block chaining with cipher feedback n ' 


terms of encryption operation needed to transmit a large file. hic) ode h 
better and why ? | (R Gp Dec, 
Ans, In Cipher Block C haining mode, the input to the e pti 
algorithm is the XOR ofthe current plaintext block and the precedin g ciphers 
block: the same key is used for cach block. In effect, we have chained (Opel 
the processing of the sequence of plaintext blocks, 1 he input lo the eneryptiys 
function for each plaintext block bears no fixed relationship to the Plaintey 
block. Therefore, repeating patterns of 64-bits are not exposed, Encryption i 
CBC mode is, í 


Nerypy: 


a EUA ; 
C= BEKIC @ P] 

Whereas, in Cipher Feedback mode as with CBC, the units of 

are chained together, so that the ciphertext of any plaintext unit is a fu 


all the preceding plaintext. Thus, rather then units of 64 bits, the pl 
divided into segments of s bits, 


Plaintext 
Netion of 
intext iş 


The input to the encryption function is a 64-bit shiN register that is initiall 
set to some initialization vector (IV). The leftmost s bits of the 
encryption function are XORed with the first segment of plaintext 
the first unit of ciphertext Cis which is then transmitted, 
contents of the shift register are shifted left bys 
rightmost s bits of the shi register. 


output OF the 
P to produce 
In addilion, the 
bits and C, is placed in the 


Let, S (X) be the most significant s bits of X. Then, 

Cy P,@ S (EK(1V)). 
This process continues until all plaintext units have bee 
Because of the chaining mechanism of cipher block chaining (CBC) mode, 


it is an appropriate or a better mode than cipher feedback mode (CFB) to 


encrypt a large file and transmit it, Generally CBC is best suited for encrypting 
messages of length greater than 64 bits, 


n encrypted, 


Q.49. Briefly explain electronic codebook mode, 


Ans, The electronic codebook (ECB) mode js the simplest mode, in 
which plaintext is handled 64 bits at a time and each block of plaintext is 
encrypted using the same key as shown in fig. 1.13. The term codebook is 
used because, for a given key, there is a unique ciphertext for every 64-bil 
block of plaintext. Therefore, we can imagine a gigantic codebook in which 
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ntry for every possible 64-bit plaintext pattern showing its 
so an ° 
ihe ling ciphertext. f 
4 skal Time = 2 Time =N 
fime” p , 
PI 2 PN 
CN 
(a) Encryption 
c Cy CN 
= —=1 “ -E 
K 
PI 2 PN 


(b) Decryption 
Fig. 1.13 Electronic Codebook (ECB) Mode 

For a message longer than 64-bits, the procedure is simply to break the 
message into 64-bit blocks, padding the last block if necessary, Decryption 
is performed one block at a time, always using the same key, Fig, 1.13 
shows the plaintext (padded as necessary) consists of a sequence of 64-bit 
blocks, Pj, D... Py and the corresponding sequence of ciphertext blocks, 
Cy Cy, Cy . 

The ECB method is ideal for a short amount of data, such ag an encryption 


key, Thus, if you want to transmit a DES key securely, ECB is the appropriate 
mode to use, 


The most significant characteristic of ECB is that the same 64-bit block 


of plaintext, if it Appears more than once in the message always produces the 
same ciphertext, 


__ For lengthy message, the ECB mode may nol be secure. Ifthe message is 
highly structured, it may be possible for a cryptanalyst to exploit these 
regularities, Por example, if it is known that the message always starts out 
with certain predefined fields, then the cryptanalyst may have a number of 
known Plaintext-ciphertext pairs to work with, If the message has repetitive 
saith a period of repetition a multiple of 64-bits, then these elements 
ano Centified by the analyst, This may help in the analysis or may provide 

PPortunity for substituting or rearranging blocks, 
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bution centers for symmetric encryption. In fa 
eded, generally involving a central agent 
mpler nor any more efficient than those 


involved with key distn Ct so 


form of protocol is necece, 
procedures involved arc no SI 
for symmetric encryption. 


i ic-key cryptosystems. 
0.8. Explain public-key cryp > 


o ic key cryptosystem ? Wh 
; ncipal elements of public key “Mga 
What are princip (R-GP.V., Dec. 2006, 200 I 


rv" wey 2 
roles of the public key and private key š 


Ans. A public-key encryption scheme has six ingredients as shown in fig 24 


Alice "s Private 
Key 


Alice’s Public 
Key 


Transmitted 
Ciphertext 


Plaintert Encryption Algorithm Decryption Algorithm Plaintevt 
Input “(egn RSA) (Reverse Encryption Output 
Algorithm) 
(a) Encryption 
Alice’s 
Public Key 
? Joy oF 
N Mike Bob 
ai Bob's Public 
ey Key 
— Transmitted 
Ciphertext 
Plaintext Encryption Algorithm Decryption Algorithm Plaintext 
Input (e.g, RSA) (Reverse Encryption Output 
Algorithm) 
(b) Authentication 


~ ` Fig. 2.4 Public-key Cryptography 


and ih, 
"quires 
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ți) Plaintext — This is the readable message or data that is fed into 


rithm as input. 
(ii) Encryption Algorithm — The encryption algorithm performs 
formation on the plaintext. 


the algo 


various trans . a I 
(iii) Public and Private Key — This is a pair of keys, one is used for 


tion, and the other is used for decryption. The exact transformations 


ov d by the encryption algorithm depend on the public or private key 


forme 
that is provided as input. 


(iv) Ciphertext— This is the scrambled message produced as output. 
e plaintext and the key. For a given message, two different 


nds on th 
saint e two different ciphertexts. 


keys will produc 

(v) Decryption A [gorithm — This algorithm accepts the ciphertext 
and the matching key and produces the original plaintext. 

The essential steps of the algorithm are as follows — 

(i) Each user generates a pair of keys to be used for the encryption 
and decryption of messages. 

(ii) Each user places one of the two keys in a public register or 
other accessible file. This key is known as public key. The companion key is 
kept private. This key is known as private key. As suggested in fig. 2.4, each 
user maintains a collection of public keys obtained from others. 

(iii) In the figure, if Bob wishes to send a confidential message to 
Alice, Bob encrypts the message using Alice’s public key. 

(iv) When Alice receives the message, she decrypts it using her 
private key. No other recipient can decrypt the message because only Alice 
knows her private key. 

With this approach, all users have access to public keys, and private keys 
are generated locally by each user and therefore need never be distributed. As 
longas a system controls its private key, its incoming communication is secure. 
At any time a system can change its private key and publish the companion 
public key to replace its old public key. 

To discriminate between, conventional and public-key encryption, we will 
generally refer to the key used in symmetric encryption as a secret key. The two 
keys used for public-key encryption are referred to as the public key and private 
key. Invariably the private key is kept secret, but it is referred to as a private key 
rather than a secret key to avoid confusion with symmetric encryption. 


0.9. What are the principles of the public-key cryptosystems ? 


t Ans. The concept of public-key cryptography evolved from an attempt to 
attack two of the most difficult problems associated with symmetric encryption. 
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he encryption function is a 64-bit shift register that is initially 
ation vector (IV). The leftmost (most significant) s bits of 
d with the first segment of plaintext P, to produce the 
tC), which is then transmitted. ` 


ip utto t 
;nitializ 

ome jnitia 
Re 

output are a 
a unit of ciphertex 
rst Lan. the contents of the shift register are shifted left by s bits and 
ghtmost (least significant) s bits of the shift register. This 


jn the ri . 
laced til all plaintext units have been encrypted. 


‘continues un 
e scheme is used for decryption, except that the received ciphertext 
. xORed with the output of the encryption function to produce the 
unit JS x + It is noted that the encryption function that is used, not the 
Jaintext aa tion. Let S (X) be defined as the most significant s bits of X. 
jecryption func IOP. š i 

Then 


cess 


The sam 


C, = P, @ S, [EIV] 


Therefore, 
P, = C, @ S,[Ek[IV]) 


The same reasoning holds for subsequent steps in the process. 


0.52. Compare output feedback mode with cipher feedback mode. 
(R.GP.V., June 2015) 
Ans. The output feedback (OFB) mode is similar in structure to that of 
CFB as shown in fig. 1.16. It is clearly seen from the figure that, the output of 
the encryption function is fed back to the shift register in OFB, whereas in 
CFB, the ciphertext unit is fed back to the shift register. 


One advantage of the OFB method is that bit errors in transmission do 
not propagate. For example, if a bit error occurs in C}, only the recovered 
value of P} is affected, subsequent plaintext units are not corrupted. With 
CFB, C; also serves as input to the shift register and therefore causes additional 
corruption downstream. 


The disadvantage of OFB is that it is more vulnerable to a message stream 
eee attack than is CFB. Consider, that complementing a bit in the 
ag a the corresponding bit in the recovered plaintext. Thus, 
Possible g anges to the recovered plaintext can be made. This may make it 
Portion of i Opponent, by making the necessary changes to the checksum 
such a w © Message as well as the data portion, to alter the ciphertext in 

ay that it is not detected by an error-correcting code. 
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Unit» 01 


what Is counter mode ? List varlous advantages of CTR mode 

0.83. modes of operation, (R.GRM, Dec, 2009) 
per? “altho interest in the counter mode (CTR) has incrensed recently, 
* qtians to ATM (asynchronous transfer mode), network security 

p is The scheme is illustrated in fig. 1.17, In this scheme, a counter, 


y gec Ur ke give i 
| x ih plaintext block size is used, 
) 
ual UC 
q Counter + 1 


Encrypt 


Counter +N - 1 


Counter 


eee K 


Ah P P 
Pi 4, 2 N 
cy G Cy 
(a) Encryption 
Counter Counter + 1 Counter +N -1 


s ç n$ -P3 
on | ` (b) Decryption 
Fig. 1.17 Counter (CTR) Mode 

! The only requirement is that the counter value must be different for each 
plaintext block that is encrypted. The counter is initialized to some value and 
kaa aasmented by 1 for each subsequent block (modulo 2, where b is the 
the coe For encryption, the counter is encrypted and then XORed with 

Piaintext block to produce the ciphertext block. 
bral is no chaining. For decryption, the same sequence of counter values 
be With each encrypted counter XORed with a ciphertext block to recover 

Ttsponding plaintext block, vival 


isus 
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CTR mode has the following advantages — 


Unlike ECB and CBC modes, CTR Mode rep, 
f the encryption algorithm and not the decry" 
‘ tion 


(i) Simplicity — 
only the implementation © 
algorithm. | p 

(ii) Hardware Efficiency — Unlike the three chaining mode, i 
mode encryption or decryption can be done in parallel on multiple block, R 
plaintext or ciphertext. For the chaining modes, the algorithm must comple 
the computation on one block before beginning on the next block. This in ` 
the maximum throughput of the algorithm to the reciprocal of the time: ore 
execution of block encryption or decryption. In CTR mode, the thro 
only limited by the amount of parallelism that is achieved. i 


(iii) Software Efficiency- Similarly, because of the paralle] EXecution 
in CTR mode, processors that support parallel features, such as aggressive 
pipelining, multiple instruction dispatch per clock cycle, a large number 4 
registers, and SIMD instructions, can be effectively utilized, — ~. , 


e 
Ughput ig 
i 


(iv) Random Access — The ith block of plaintext of ciphertext can 
be processed in random-access fashion. With the chaining mode, block ç. 
cannot be computed until i — 1 prior block are computed. There may be 
applications in which a ciphertext is stored and it is desired to decrypt just one 
block. For such applications, the random access feature is attractive. 


(v) Preprocessing — If sufficient memory is available and security 
is maintained, preprocessing can be used to prepare the output of the encryption 
boxes that feed into the XOR functions. When the plaintext or ciphertext input 
is presented, then the only computation is a series of XORs. Such strategy 
greatly enhances throughput. i ay M bers 


(vi) Provable Security — It can be seen that CTR is at least as secure 
as the other modes. 


0.54. Why do some block cipher modes of operation only use encryption 
while others use both encryption and decryption ?; (R.GP.V., June 2005) 


Ans. The DES algorithm is a basic building block for providing data 
security. To apply DES in a variety of applications, four “modes of operation” 
have been defined. These four modes are intended to cover virtually all the 
possible applications of encryption for which. DES could be used. As new 
applications and requirements have appeared, NIST has expanded the list of 

recommended modes to five in special publication 800-38A. These modes af 
intended for use with any symmetric block cipher, including triple DES and 
AES. Wee Geis 
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k cipher modes of operation only use encryption while others 
tion and decryption to furnish different types of data security 
c boll ee various block cipher modes of operation are intended to support 
si of applications. For detailed working of various types of 
yarioUs For detailed working of various block cipher modes of Operation, 

049 9,50, Q.51, Q.52 and Q.53 also. 

o Q.49; 


ee Explain such block cipher modes of operation which use any 
n and why they use only encryption. Draw complete and clear 
ancryptior (R.GP.V., Dec. 2011) 


me bloc 


Or 
ch block cipher modes of operation which use encryption 
Draw complete and clear diagrams of each. 
(R.GP.V., June 2012) 


pln su 
and decryption. 


dig. Refer to Q.49, Q.50, Q51, Q.52 and Q.53. 
0.56. What are the advantages and disadvantages of DES ? 
Ans. The advantages of DES are as follows a | 

i. The security factors with. respect to the fact that solving the 
discrete logarithm is very challenging 

' : (ii) The shared key (i.e. the secret) is never itself transmitted over 
the channel. Duf PERE: 

disadvantages of DES are as follows — 

w (i) The fact that there are expensive exponential operations involved, 
and the algorithm cannot be used to encrypt messages — it.can be used for 
establishing a secret key only. tea “i 


, (ii) There is, also å lack of authentication. . a 

(iii) There is no identity of the parties involved inthe exchange. `` 
` ` s(iv) It is easily susceptible to'man-in-the-middle attacks. A third party 
C, can exchange keys with both A and B, and can listen to the communication 

between A and B. eang d 
_ `" (v) The algorithm is computationally intensive. Each multiplication 
varies as the square òf n, which must be very large.’ The number of 
ae required by the exponentiation increases with ‘increasing values 

° exponent, x or y'in this case.’ a ss g 
ue 9 The computational nature of the algorithm could be used in a 
€rvice attack very easily. Fa 


"q : E 
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0.57. Write short note on stream cipher. 

Ans. Stream ciphers typically operate on bits. The one-time 

e of a stream cipher. Practical stream ciphers typically Pad j ù 

random keystream as a function of a fixed length key Benetat | 
+ string. The key is know and a 

no could be a message seque 


g4 Cryptography Š In 


exampl 


802.11. Stream ciphers are 
complicated circuits. However, 
shown to be vulnerable to attack. Th 


block ciphers. 
0.58. Differentiate between block cipher and stream cipher. 
(R.GP.V., Dec. 2011, June 2012 
) 


Ans. Refer to Q.32 and Q.57. 
ee 


byte 


- 


sss ADVANCED ENCRYPTION STAND 
| ARD 
iwrRODUCTION TO PUBLIC KEY CRYPTO AnD GES Me | 
HMIC PROBLEM, DIFFIE-HELLMAN KEY i DISCRETE 

E 


i: U 'ATIONAL & DECIS FFI 

‘coMP T, IONAL DIFFIE-HELLMAN 

ñ | 
PROBLEM | 


0.1. What is the advanced encryption standard (AES) ? 


Ans. Advanced encryption standard (AES) i 
ó is a fast symmetri 
for mass encryption. It was developed through ee tio etic cryptosystem 
the RIJNDAEL system, published in 1999 by Joan Daemen n, and is based on 
from Belgium. AES replaced the old DES system eer ke Rijmen 
in 5; 


AES works on bit symbols, so the residue classes (bits) 0 and 1 of Z 
of £ can 


be considered as plaintext and c 
ryptotext symbols. The worki 
. orkings of RIJNDA 
EL 


can be 
confusion we use i 
z as the dummy variable in the polynomial ring and 
g and x as the 


dummy variable for pol ee 

ynomials in Z, needed i > 
field F,8. Furth nee ed in definin 
n ie iii AETA He sas addition and aasma cee, 1. 
ý À is denoted by 1 in F,8 by @ and 

because 1 =—1 in Zp, th a y 1 and the zero elem $ 

: , the additional i element by 0. Not 

F,8(z) is thi : al inverse of an Š e that 
) is the element itself. So subtraction © is the zits cae a tga 
iton ®, in this case 


Construction — In the Ri 
block and the len the RIJNDAEL system the | i 
bits. Dividing b gth Ik of the key are independentl papih j of the planteat 
g by 32 we get the numbers ently either 128, 192 or 256 


Bits are ha 
dled 
Considered n as bytes of 8 i : 
as an element of the ih et me a byte b;bs ..... bg can be 
2°. 


The key į 
y Is usuall 
s] usually ex 
| fthe key is, bie x sag as a 4 x Nk matrix whose elements are 


<. Parry k = 
Kook ok29k3oko1 ky 1ko1.----K3,ny = 1 


described using the field F i 
28 and its polynomial ri 
ng F,8(z). To avoid: 
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then the corresponding matrix is 
koo kor Koz ko, Nya 
ko ku kia ki, Nyt 
K“ ko ka kz k2,Nk-1 
ka K3 k32 k3, Nyt 


Note how the elements of the matrix are indexed starting from 


i Z 
Similarly, if the input block (plaintext block) is, byte by byte, Cro, 


a = p41 942043040191 1221-+-43,Nyy - 1 


then the corresponding matrix is 


aoo 401 402 40, Ng-I 
aj am 3⁄2 al, Np-l 
a a29 a21 422 `“ 32,Np-l 
a30 3y 432 ` 33,Np-l 


During encryption we are dealing with a bit sequence of length /p, the so. 
called state. Like the block, it is also expressed byte by byte in the form of à 


4 x Np matrix. 


Soo So1 502 S0, Ng-1 
_|S0 SH 512 SI, Ng-1 
= S290 521 $22 S2, Np-I 

S30 531 $32 53, Ng-I 


Elements of the matrices K, A and S are bytes of 8 bits, which can be 
interpreted as elements of the field Fs. In this way these matrices are matrices 
over this field. Another way to interpret the matrices is to consider theif columns 
as sequences of elements of the field F>8 of length 4. These can be interpreted 
further, from top to bottom, as coefficients of polynomials with maximum 
degree 3 from the polynomial ring F,4(z). So, the state Š mentioned above 
would thus correspond to the polynomial sequence. `> ` š 


it is the so-called RIJNDAEL polynomial. 


» PAX) = LA $73 + x4 + x8, 
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pe term rounds in RIINDAEL, 


pefine f 
, 2, ¢ ig a certain number Np of so-called rounds in RLIINDAEL 


ant r of rounds is given by the following table — 
c 
enum 


nd receives as its input the current state S and its own so-called 
ular, we need the initial round key Rọ. In each round, 
we go through the following sequence of operations — 


e ih rou ) 
ey R; Jn partic 
r the last one, 
se SubBytes(S) 

g < ShiftRows(S) 

s — MixColumns(S) 

Se AddRoundKey(S, R;) 
The last round is the same except that we drop MixColumns. 
The encrypting key is expanded first and then used to distribute round 
nds. This and the different operations in rounds are discussed 


keys to all rou j | ition 
the following sections. Encrypting itself then consists of the 


one by one in 


following steps — 
(i) Initialize the state — S <— AddRoundKey(A, Ro) 


(ii) Nz — 1 “usual” rounds. 
(iii) The last round. 
When decrypting we go through the inverse steps in reverse order. 
0.3. Define the following terms — f 
_ (i) SubBytes (transforming bytes) (ii) ShiftRows 
(iii) MixColumns ` (iv) AddRoundKey. 
Ans. (i) SubBytes (Transforming Bytes) — In this operation each byte s;j 
of the state is transformed in the following way — f 
3 (a) Interpret s;; as an element of the field F38 and compute its inverse 
sj. It is agreed here that the inverse of the zero element is the element itself. 
(b) Expand sj in eight bits bybgbsb4b3bzb bp, denote 
b(x) = bo + b)x + box? + b3x? + b,x4 + bó +b + bx? 
í olynomial in Z;(x)] 
and compute [2 polyn K 
b(x)=b(x) (1 +x #x2+x3+x4)+(1+x+x+xő) mod 1 +` ° 


N 
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The result 3 A Š 
ba = ba +bjx+bjx? bjx + bax” +bsx + BER! + bE 7 


is interpreted as a byte br bgbsbybzb>bjbo or as an element of F,s, BY the 


way, division by 1 + xŠ in Z,(x) is easy since 
| B 
xtsxG 2X9 mod 1 + x°. f | 
#2 may also be done by using matrices. We then a 
; y 


The operation in = 
an affine transformation in Z> — 
by) (100011 1 Yb) (1 
bi 1100011 |b| li 
b| li 110001 Ibs} Jo 
b; 1111000 1fb;| Jo 
| [1 1 1 1 1:0 0 0fbg| |o 
bs} lo 1 111 1 0 Ofbs| fa 
b| JO O 1 L1 1 1 Ofbe] {1 
bt 0001 1 11 IAb; {0 


Byte racsfommation ts done m reverse order during the decryption. Because 
m Zx) 
I I==zcKI+x-x2+xi+ xt 1+xŠ) 
(easy to verify using the Euclidean algorithm), the polynomial 1 + x +x? + x3 
— x* bes an inverse modalo | + xŠ and the occurring 8 x 8 matrix is invertible 
modulo 2. This inverse is x + x? + xé. l 

Transforming the byte is m all a nonlinear transformation, which can be 
Ses n one teble, the socalled RUNDAEL S-box. This table can be found 
for example in MOLLIN and STINSON. 

(m) SkifiRows — In this operation the elements of the rows of the matrix 

representation of the state are shifted left cyclically m the following way — 


[Na =£ | no shif lelement 2 elements 3 elements 

| Ng =6 j coshift lelement 2 elements '3elements 

| Ng =8 | noshift lelement 3elements 4 elements 
While decrypting rows are correspondingly shifted right cyclically. 

(ti) MixColumns — In this transformation columns of the state matrix 
are interpreted zs polynomizls of maximum degree 3 in the polynomial ring 
F_4z). Each column (polynomial) is multiplied by the fixed polynomial. 
AZ) = cç S cız @ 2? © qz? e F(z) 
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4 where 
1 QZ w 
modulo Co =X, ©) = Ca = land =] +x 
pividing by the polynomial 1 ® z* in F,8(z) is especially easy since 
zk = z% mod 4) mod 1 @ z4 


yely the operation can be considered as a linear transformation 


Alternat 
of 28 Soi Co G C2 cı)fsoi 
sti |_| C1 So c3 2 }} sj 
Shi C2 C| Co G Soi 
$3} C3 C2 C} CoO S3i 


When decrypting we divide by the polynomial c(z) modulo 1 @ zí. 
1 ©z* is notan irreducible polynomial of F,8(z)!, c(z) has an inverse 


ugh 
ant @ zt, because 


ulol 
i 1 = gcd(c(z), 1 @ z$) 


The inverse is obtained using the Euclidean algorithm (hard to compute!) 

and it is 
; d(z) = do @ dz @ doz? @ d; 

where do=x+x2+x3, di =1+xj,d,=1 +x?+x3 and d,;=1+x+x3, 


So, when decrypting the column (polynomial) is multiplied by d(z) modulo 
18 z* and the operation is thus no more complicated than when encrypting. In 
matrix form in F38. 


Soi do d; dz dj )(so; 
Sli dı do d3 d;||st 
sz | |ds dy do ds||s 
S3i d3 d, d, do)\s}j 


_ G) AddRoundKey — The round key is as long as the state. In this 
operation the round key is added to the state byte by byte modulo 2. The inverse 
operation is the same. 


0.4. Describe the operating mode of AES. 


á Tae usual way of using AES is to encrypt one long message block at 
with the same key, the so-called ECB mode (electronic codebook). 


A saqi way, the so-called CBC mode (cipher block chaining), is to always 
modulo "= ofa message block w; and the preceding cryptoblock c; bit by bit 
ion, © Wi @ c; ,, and encrypt it, using the same key k all the time. In the 


ning WE need an initi . ? 
following aaah: tial (crypto) block. Schematically CBC mode is the 
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Fig. 2.1 f 
block causes changes in the following cryptob be 
in CBC mode. This way CBC mode can be used for authentication or the st 
called MAC (message authentication code) in the following way. The initia 
block can e.g. be formed of just 0-bits. The sender has a message that is forme P 
of message blocks w;, -----» Wn and he/she computes, using CBC mode, the 
corresponding cryptoblocks C1, ----» Cn applying a secret key k. The sen fis 
sends the message blocks and c, to the receiver. The Teceiver also has the key 
k and he/she can check whether the c, is valid by using the key. 

In the so-called OFB mode (output feedback) AES is used to transform 
the key in a procedure similar to ONE-TIME-PAD encrypting. Starting froma 
certain “initial key” kọ we get a key stream kyss Ki by encrypting this key 
over the over using AES, k, is obtained by encrypting ko. Again, when 
ame secret key k all the time. Schematically — 


A change in a message 


encrypting we use the s 


Fig. 2.2 

OFB mode gives rise to a variant, the so-called CFB mode (cipher 
feedback), where the key k; of the key stream is formed by encrypting the 
preceding cryptoblock. Again k, is obtained by encrypting the initial block co. 


Wi 
a 6 sac 
cy n-] 
k k k 


Fig. 2.3 
This variant can be used for authentication much as the CBC-mode, which 
it also otherwise resembles. 
_ There are also other modes, for example the so-called CTR mode (couple 
Ma KA AREE 404 
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5, What do you understand by public key cryptography ? 
"the development of public key cryptography is the greatest and 
Ans: ly true revolution in the entire history of cryptography. Public- 


only i 
provides a radical departure from all that has gone before. It 


the 
naps 
per raphy prov 
Key ws a mathematical functions rather than substitution or permutation 
e š 


blic-key cryptography was developed by Diffie and Hellman. This 
pu is also known as Asymmetric Encryption. The concept is simple. There 
technique one is held privately and the other one is made public. What one 
lock, the other key can unlock. The use of two keys has profound 


can the areas of confidentiality, key distribution and authentication. 


consequences j 
0.6. What is PK CS ? 
ns. The public-key cryptography standards (PKCS) are specifications 
ced by RSA Laboratories In cooperation with secure systems developers 
‘de for the purpose of accelerating the deployment of public-key 
hy. First published in 1991 as a result of meetings with a small 
oup of early adopters of public-key technology, the PKCS documents have 
become widely referenced and implemented. Contributions from the PKCS 
series have become part of many formal and defacto standards, including ANSI 


x9 documents, PKIX, SET, S/MIME and SSL. 


0.7, What are the misconceptions concerning public-key encryption ?. 
Justify all of them. (R.GP.V., Dec. 2006) 

Ans. The several common misconceptions concerning public-key 
encryption are mentioned below — 

(i) One such misconception is that public-key encryption is more 
secure from cryptanalysis than is symmetric encryption. Such a claim was made, 
for example, in a famous article in Scientific American by Gardner [GARD 
77]. In fact, the security of any encryption scheme depends on the length of the 
key and the computational work involved in breaking a cipher. There is nothing 
in principle about either symmetric ‚or public-key encryption that makes one 
superior to another from the point of view of resisting cryptanalysis. 

(ii) A second misconception is that public-key encryption is a 
fi eral-purpose technique that has made symmetric encryption obsolete. On 
aa because of the computational overhead of current public-key 
en "a Sie there seems no foreseeable likelihood that symmetric 
has put it ID be abandoned. As one ofthe inventors of public-key smp 
management FF 88], the restriction of public-key cryptography to ey 

and signature applications is almost universally accepted”. 
"i Finally, there is a feeling that key distribution is trivial yal 
“key encryption, compared to the rather cumbersome handshakin 
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The first problem is that of kev distribution. It requires either 
eo firs t š ye eects alee 

ü) that two communicants already share a Key, which Someho, 
has been distnduted to them, or 

Gü the use ofa key distnbution center. 
Whitield Diffie and Martin Hellman reasoned that this second require 
heehee haa ; ! 

mentad the very essence of cryptography the ability to maintain total secr, 
iNi ~ us wal ` i à 2 ° 
over Our OWN aommunwaton, 

The avond problem that Diffie pondered, and one that was a 


pees 


REL Ee Sf th ek PParenth, 
unrelated to the first was that of “digital signatures”. If the use of cryptogrophy 


was to become Widespread, not just in military situations but for commercigy 
and private purposes then electronic messages and documents Would need the 
equivalent of signatures used in paper documents. That is, could a method be 
devised that would stipulate to the satisfaction of all parties, that a digital m essage 
had been seat by a particular person ? This is a somewhat broader requirement 
then that of authentication , and its characteristics and ramifications. 

Diffie and Hellman achieved an astounding break through in 1976 b 
coming up with a method (i.e. public-key encryption algorithm) that addresseq 
both problems and that was radically different from all previous approaches to 
cryptography. 


0.10. Write the difference between conventional encryption and public. 


key encryption. (R.GP.V., June 2015) 
Or 


Compare conventional encryption and public-key encryption. 
(R.GP.V., Dec. 2006) 
Or 
What is the fundamental difference between symmetric and asymmetric 
encryption ? (R.GP.V., June 2011) 
Or 
Distinguish between symmetric and asymmetric key cryptography. 
(R.GP.V., June 2014) 
Ans. The major differences between conventional and public-key 


encryption are as follows — 
Conventional Encryption Public-key Encryption 
One algorithm is used for encryption 


(i) |The same algorithm with the same 
key is used for encryption and | and decryption with a pair of keys, 
one for encryption and one for 


decryption. 

decryption. 
The sender and receiver must each 
have one of the matched pair of 
keys (not the same one). 


(ii) | The sender and receiver must 
share the algorithm and the key, 


Unit- 75 
be kept secret. 


) |The key must 


(iil 


e impossible or at least 
_actical to decipher a message 
me ther information is available. 
| owed ae of the algorithm plus 
samples of ciphertext must a in- 
sufficient to determine the key. 


It must be impossible or at least 
impractical to decipher a message 
ifno other information is available, 
Knowledge of the algorithm plus 
one of the keys plus samples of 
ciphertext must be insufficient to 
determine the other key. 


qv) [It must b 


o) 


11. What is pub lic-key cryptography ? Explain. Bring out the difference 
a conventional encryption and public-key encryption. 
e (R.GP.V., June 2010) 


b 


Ans. Public-key Cryptography — Refer to Q.5. 
Difference — Refer to Q.10. 


0.12. What are the principles of the public-key cryptosystems ? Differentiate 
conventional encryption and public-key encryption. (R.GP.V., June 2009) 

Ans. Principles — Refer to Q.9. 

Difference — Refer to Q.10. 


0. 13. What are the three broad categories of applications of public-key 
cryptosystems ? (R.GP.V., June 2013, 2016, May 2019) 
Ans. Public-key systems are characterized by the use of a cryptographic 
type of algorithm with two keys, one held private and one available publicly. 
Depending on the application, the sender uses either the sender’s private key 
or the receiver’s public key, or both, to perform some type of cryptographic 


function. In broad terms, we can classify the use of public-key cryptosystems 
into three categories — 


` (G) Encryption/Decryption — The sender encrypts a message with 
the recipient's public key. 


Gü) Digital Signature— The sender “signs” a message with its private 


= Signing is achieved by a cryptographic algorithm applied to the message 
r to a small block of data that is a function of the message. 


key. S (iii) Key Exchange — Two sides cooperate to exchange a session 
. Sey 


eral different approaches are possible, involving the private key of 
ne or both parties. P P > g the p 


Som I . . - 
can be eg os are suitable for all three applications, whereas others 


Əpplicati only for one or two of these applications. Table 2.1 indicates the 
‘ONS supported by the algorithms given in the table. 
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Jow 
pr p an example. (R.GP.V., Dec. 2007) 


Let us assume that the public-key encryption and decryption 
ave the property that E(D(P)) = P in addition to the usual property 

= P, Assuming that this is the case, Alice can send a signed plaintext 
that DEDS Bob by transmitting Eg(D4(P)). Note carefully that Alice knows 
mesa vate) decryption key, Da, as well as Bob’s public key, Ep, so 
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Table 2.1 Applications for Public-key Cryptosystoms does asymmetric key encryption ensure “Non-repudiation” ? 
peplain x 

RSA 
Elliptic curve 


Diffie-Hellman 


ane 
algorithms | 


DSS s OW ting this message is something Alice can do. 
Š cull ws ae 
0.14. What requirements must a public-key cryptosystem fulfil t b a ‘n Bob receives the message, he transforms it using his private key, as 
! F- oe ea w tine Da(P), as shown in fig. 2.5. He stores this text in a safe place 
se § Or usa an decrypts it using EA to get the original plaintext. 
an 


Transmission Line 


| 


What requirements must a public-key cryptosystem fulfil to be q Secur 
algorithm ? Briefly explain each of them with example. (R.G P. V, June 2008) Alice’s Computer 


Ans. The cryptosystem depends on a cryptographic algorithm based dà 


Bob’s Computer 


i Alice’s Bob’s Bob’s Alice’s 
two related keys. Diffie and Hellman postulated this system Without private Key, Public Key, Private Key, Public Key, P 
demonstrating that such algorithm exist. However, they did lay out the Da Eg Dg EA 


conditions that such algorithm must fulfil — 
(i) Itis computationally easy for a recipient B to generate a pair of D (P) EDAP) DP 
key (public key KU, and private key KR,). 
Gii) Itis computationally easy for a sender A, knowing the public key 
and the message to be encrypted, M, to generate the corresponding ciphertext- 


Fig. 2.5 Digital Signatures Using Public-key Cryptography 
To see how the signature property works, suppose that Alice subsequently 
denies having sent the message P to Bob. When the case comes up in court, 


C= Exu,(M) Bob can produce both P and Da(P). The judge can easily verify that Bob | 
(iii) It is computationally easy for the receiver B to decrypt the indeed has a valid message encrypted by Dy by simply applying E, to it. Since 
resulting ciphertext using the private key to recover the original message - Bob does not know what Alice’s private key is, the only way Bob could have 


acquired a message encrypted by it is if Alice did indeed sent it. 
M= Dgr, (©) = Dkr, [Exu, (M)| 


(iv) It is computationally infeasible for an opponent, knowing the 
public key, KU,, to determine the private key, KR, 


(v) Itis computationally infeasible for an opponent, knowing the 


0.16. What are six components of public key infrastructure (PKI) ? 
(R.GP.V., June 2011) 
Ans. Following are the components of public key infrastructure — 


public key, KU,, and a ciphertext, C, to recover the original message, M. ead ü Certification Authority — The certification authority (CA) takes 

PE A gh useful, is not necessa i ponsibility for identifying the correctness of the identity of the person asking 
aade at, althou userul, 1S or a certifice t : z $ i at 

for all public-key applications. ate to be issued, and ensures that the information contained within 


the certificate is c igi igns i 
l _. orrect and digitally signs it. 
(vi) The encryption and decryption functions can be applied in either ” ' ; ishi 
sade (ii) Revocation — In revocation, system depends upon publishing 
es so that people are able to communicate with each other, there has 


0 de : š : 
4 system for letting people know when certificates are no longer valid. 


certificat 
M= Exy,[Dxr, (M)] = Dku, [Ekr M) 


These are the formidable requirements, as evidenced by the fact that only authority (iii) Registration Authority — ACA may use a third-party registration 
ri 


two such algorithms (RSA and Elliptic curve cryptogra hy) have receive (RA) to mpan 
widespread acceptance. P ryptograp tequesting the perform the necessary checks on the person on company 


Certificate to ensure that they are who they say they are. That 
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RA may appear to the certificate requestor as a CA, but the 


. è y do not 
sign the certificate that is issued. actualy 


(iv) Certificate Publishing Methods — One of the fun 
PKI systems is the need to publish certificates so that users can fi 
can be performed in two ways. One is to publish certificates int 
ofan electronic telephone directory. The other is to send your ce 
those people you think might need it by one means or another. 


. ` lg 
hee Ulvale 


(v) Certificate Management System — This term r 
management system by which certificates are published, te 
permanently suspended, renewed or revoked. Certificate manage 
do not normally delete certificates because it may be necessary 
status at a point in time, perhaps for legal reasons. A CA will 
management systems to be able to keep track of their respo 
liabilities. 


Cfers to the 
™Porarily or 
Ment systems 
to prove their 
run Certificate 
NSibilities and 


(vi) PKI Aware Applications — This term usually refers to a 
that have had a particular CA software supplier’s toolkit added to t 
they are able to use the suppliers CA and certificates to implement PKI 
functions. The term does not mean that the applications have any knowledge 
built into them about what the security requirements really are, or which PK] 
services are relevant to delivering them. These issues are quite Separate from 
having PKI services available. 


Pplications 
hem so that 


0.17. What drawbacks to symmetric and asymmetric encryption are 
resolved by using a hybrid method like Diffie-Hellman ? (R.GP.V., June 2011) 


Ans. Problems with Symmetric Encryption — The biggest problem with 
symmetric encryption is that a single key must be shared in pairs of each sender 
and receiver. In a distributed environment with large numbers of combination 
pairs involved in many-to-one communication topology, it is hard for the one 
recipient to keep so many keys in order to support all communication. 


Besides the key distribution problem above, the size of the communication 
space creates problems. The secret-key Cryptography, if strictly used, needs 
billions of secret keys pairs to be created, shared, and stored because of the 
massive potential number of individuals who can carry on communication ina 
many-to-one, one-to-many, and many-to-many topologies supported by the 
Internet for example. Large numbers of potential correspondents in the many- 
to-one, one-to-many, and many-to-many communication topologies may cause 
symmetric encryption to fail due to its requirement of prior relationships with 
the parties to establish the communication protocols such as the setting up of 
and acquisition of the secret key. 


l 
nd them š j 


; n 
rtificate outor 
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wing additional problems are also obsery 


able besid 
sed above and a result of them — es the 


e follo 


jscus 
proble r The secret kay may not be changed frequently enough to ensure 


poini integrity of data can be compromised because the receiver 
p {hat the message has not been changed before receipt, 

cannot wer The method does not provide a way to ensure Secrecy even if 
ae process is compromised. f 

the encryP: ) It is possible for the sender to repudiate the message because 
(iv mechanisms for the receiver to make sure that the message has 

there on the claimed sender. 

peen sen lems with Public Key Encryption (Asymmetric Encryption) — 

Prob | roblem with public key encryption is speed. Public key algorithms 

The ai Pa symmetric algorithms. This is because public key calculations 

are ne than symmetric key calculations since they involve the use of 

aaa tios of very amenuna. 

exp Besides speed, public key encryption algorithms have a potential to suffer 

from the man-in-the-middle attack. 


0.18. Briefly explain preety erypianalynis, | 

Ans. As with symmetric encryption, a public-key encryption scheme is 
vulnerable to a brute-force attack. The countermeasure is the same i.e., use large 
keys. However, there 1s a tradeoff to be considered. Public-key systems depend 
on the use of some sort of invertible mathematical function. The complexity of 
calculating these functions may not scale linearly with the number of bits in the 
key but grow more rapidly than that. Thus, the key size must be large enough to 
make brute-force attack impractical but small enough for practical encryption 
and decryption. In practice, the key sizes that have been proposed do make 
brute-force attack impractical but result in encryption/decryption speeds that are 
too slow for general purpose use. Instead, the public-key encryption is currently 
confined to key management and signature applications. 

Another form of attack is to find some way to compute the private key 
given the public key, It has not been proven that this form of attack is infeasible 
for a particular public key al gorithm. Thus, any given algorithm including the 
widely used RSA algorithm, is suspect. 

Finally, there is a form of attack that is peculiar to public-key systems. In 
€ssence, this is a probable message attack. For example, that a message were to 
be sent that consisted solely of a 56-bit DES key. An opponent could encrypt all 
en keys using the public key and could decipher any message by matching 

eya nsmitted ciphertext. Thus no matter how large the key size of the apn 
=. 4 roach, the attack is reduced to a brute-force attack on a 56-bit key. This 
an be thwarted by appending some random bits to such simple messages. 
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0.19. Discuss about the discrete logarithm problem, 


Ans. There is a famous problem in mathematics known as the q; 
logarithm problem (DLP) which has been very well used in the w ISe 
cryptography. The DLP has the potential of being a very difficult nee of 
solve and so cryptographers have created ciphers in which cracking the em 
would require solving the DLP. System 

Given a positive integer modulus n, and two positive integers s 
s™, both reduced modulo n. find m. We call the smallest positive in 
such that t = s” (mod n) the discrete logarithm base s of t modulo n. 


and {x 
teger m 


Example — Find the discrete logarithm base 5 of 2 modulo 7. That 
want to find the smallest integer m so that 5" = 2 (mod 7). With a small a 
of trial and error we can find that 53 = 2 (mod 7) so m = 4. 

When working in the standard real numbers, solving logarithms is a ve 
well understood problem. We can use series to accurately solve for or give 
good approximations for real valued logarithms, and so for a computer this 
would be considered an “easy” problem. When working in the finite group of 
(Z/pZ)* for an odd prime p. the discrete log problem (DLP) can be a very 
difficult problem to solve. In particular if we choose s = g where g isa primitive 
root modulo p then solving the DLP becomes extremely difficult, especiallyas 
p becomes very large. The intuition behind why this particular problem is so 
hard is that since g is primitive root modulo p then, by its definition, every 
integer a which is relatively prime to p can be expressed as gk = a (mod p) for 
some positive integer k € (1, $(p)) where $(p) = p — 1. Since p is a large prime 
then all integers 1, ....., p — l are relatively prime to p. Thus for a random 
exponent e (1, p—1), gË has an equal probability of being equivalent modulo 
p to anya € (1, p—1). Asp then becomes very large, the probability of choosing 


is, We 
Mount 


i l 
the correct exponent, k, for which gk = t (mod p) for a given integer t is p-l 
which is extremely small. 

To date, there are no known “fast” algorithms which can solve this DLP. 
Because of this difficulty, cryptographers have developed ciphers which are 
based upon the DLP. That is, they have developed systems in which, in order 
to crack the system, one would need to be able to solve the DLP. 


0.20. Describe Diffie-Hellman key exchange algorithm. 
(R.G P.V,, Dec. 2004, June 2015) 
Or 
Briefly discuss Diffie-Hellman key exchange scheme. 
(R.GP.V, May/June 2006, May 2018) 
Or 


of Diffie-Hellman public key technique ? Briefly 


. he purpose 
hat is “ ha (R.GP.V., June 2008, Dec. 2008) 
<cribe its 8 Or 
des n Diffie- Hellman key exchange algorithm. (R.GP.V., June 2010) 
explain D Or 


- Diffie-Hellman key exchange. 
Briefly explain Diffi (R.GP.V., Dec. 2003, June 2004) 
Or 
+) Di Jellman key exchange algorithm using flowchart and 
aie pi. (R.GP.V., Dec. 2011) 
an example. Or 
Write short note on Diffie Hellman key exchange. (R.GP.V., June 2017) 
Ans. Di 
of the algori 
then be used for su 
to the exchange OF < 
effectiveness on the di 
We can define the Diffie-Hellman key exchange algorithm as follows — 


ffie-Hellman key exchange is a public-key algorithm. The purpose 
thm is to enable two users to exchange a key securely that can 
bsequent encryption of messages. The algorithm is limited 
f keys. The Diffie-Hellman algorithm depends for its 
fficulty of computing discrete logarithms. 


(i) Global Public Elements — For this scheme there are two publicly 
known numbers a prime number q and an integer a that is a primitive root of 
qanda <q. | 
Suppose users A and B wish to exchange a key. 


(ii) User A Key Generation — User A selects a random integer 
X, <qas his private key and calculate his public key Y, where YA= q%a mod q. 


(iii) User B Key Generation — User B also independently selects a 
random integer Xp < q as his private key and computes public key Yg where 
Ya =a%8 mod q. 


Now both A and B exchange their public keys and each compute the 
common secret key. 


as K = pi eae ation of Secret Key by User A—User A computes the key 
p) A mod q. 

asK = Cn ation of Secret Key by User B- User B computes the key 

identical eili ti q. The two calculations (in step (iv) and (v)) produce the 

K= (Yg)*4 modą (secret key of A) 


= (a*s modq) ^ vaig 
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= (aX8)XA modq 
= aXBXA mod q 
= (a XA )*8 mod q 
= (a*Amod q)*8 mod q 
= (Y,)*® modq 
Thus two sides have exchanged the secret key. 


The security of the Diffie-Hellman key exchange lies in the fa 
while it is relatively easy to calculate exponentials modulo prime, it 
difficult to calculate discrete logarithms. 


(secret key of B) 


Ct thay 


is Very 


Fig. 2.6 shows a simple protocol that makes use of the Diffie-Hellman 
calculation. 


User A 


User B 


Generate Generate 

random XA < q; random Xp <q; 
Calculate Calculate 

YA =aXA mod q; Yp =aXB mod q; 
Calculate Calculate 


K =(Yp)XA mod q; K =(YA)XB mod q; 


Fig. 2.6 
Example — 

(i) Take prime number q = 353 
and its primitive root a = 3 

(ii) Select X, = 97 
A computes Y, = 397 mod 353 = 40 

(iii) Select Xp = 233 
B computes Yp = 3233 mod 353 = 248 

After they exchange public key, each can compute the common secret key - 


A computes K = (Y,)*A mod 353 
= 24897 mod 353 = 160 


B computes K = (YA)XB mod 353 


=40233 mod 353 = 160 
As a result, the two sides have exchanged the secret key. 


xon 


-0' 
3.7 sh 
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rt note on meet-in-the-middle attacks. 
(R.GP.V., June 2012) 
. protocol has a weakness. Eve does not have to find the value of 
Ans. T his os protocol. She can fool Alice and Bob by creating two keys 
dyte we herself and Alice, and another between herself and Bob. Fig, 


a betwe 
i ows this situation. 


Alice 


prite sho 
0.21. 


Ry = gt mod p 


EU) 
== 
| Re | 


Ky =(Ry)2 mod p - - 
K2=(R3)Z mod p | Kz = (Ry)Ymodp | 


Alice-Eve Key Eve-Bob Key 


K, = g*2 mod p K3 = g7Y mod p 
Fig. 2.7 Man-in-the-middle Attack 
The following can happen — 


(i) Alice chooses x, calculates R, = gx mod p, and sends R, to Bob. 
(ii) Eve the intruder, intercepts R,. She chooses z, calculates 
R,= mod p, and sends R. to both Alice and Bob. 

__ (iii) Bob chooses y, calculates R, = g” mod p, and sends R; to Alice. 
Rs is intercepted by Eve and never reaches Alice. 
7 (iv) Alice and Eve calculate K, = g7 mod p, which becomes a sae 
coo Alice and Eve. Alice, however, thinks that it is a key share 

en Bob and herself. 
(v) Eve and Bob calculate K, = g? mod p, which becomes a shared 


w between Eve and Bob. Bob, however, thinks that it is a key shared between 
ce and himself. , 


In oth 


i = een Alice 
and Eve °T words, two keys, instead of one, are created — one betw 


> and another between Eve and Bob. When Alice sends data to Bob 
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encrypted with K, (shared by Alice and Eve), it can be deciphereg and 

Eve. We can send the message to Bob encrypted by K, (shared ke w h 

Eve and Bob); or she can even change the message or send a iste We 

message. Bob is fooled into believing that the message has come fro l Ney 

A similar scenario can happen to Alice in the other direction, m Alis 
This situation is known as a man-in-the-middle attack becausc Eve 

in between the intercepts R}, sent by Alice to Bob, and R,, sent by s Mes 

Alice. It is also known as a bucket brigade attack since it resembles mi lo 

line of volunteers passing a bucket of water from person to person. Shon 


0.22. Explain Diffie-Hellman key exchange algorithm, Calcula 
shared key if h = 17, g = 13, x = 3 and y = 7. Also explain Man-in-migy, 
attack. (R.GPV, Dec, 2009 

Ans. Diffie-Hellman Key Exchange Algorithm — Refer to Q.20, 


les cre 


Problem — The steps are as follows — 
(i) A chooses x = 3 and calculates = 133 mod 17 = 4 
(ii) B chooses y = 7 and calculates = 137 mod 17 = 4. 
(iii) A sends the number 4 to B. 
(iv) B sends the number 4 to A. 
(v) A calculates the symmetric key k = 43 mod 17 = 13 
(vi) B calculates the symmetric key k = 4’mod 17 = 13 
The value of k is the same for both A and B.Thus, the Symmetric (shared) 
key is 13. 
Man-in-middle Attack — Refer the ans. of Q.21. 


0.23. Why is Diffie-Hellman not resilient to a man-in-the middle 
attack ? (R.G P.V,, June 2007) 
Ans. A weakness of Diffie-Hellman is that although two individuals can 


agree on a shared secret key, there is no authentication, which means thal 
Alice might be establishing a secret key with a bad guy. 


Q.24. Discuss the variations of computational Diffie-Hellman problem. 
Ans. Let pbe a large prime number such that the discrete logarithm problem 
defined in Z p ÍS hard. Let G € Z5 be a cyclic group of prime order q and g's 
assumed to be a generator of G. We assume that G is prime order, and security 
parameters p. q are defined as the fixed form p = 2q + 1 and ord(g) = qA 
remarkable computational problem has been defined on this kind of set b) 


Diffie and Hellman. More precisely, Diffie-Hellman assumption (C 
assumption) is referred to as the following statement — 


Computational Diffie-Hellman problem (CDH) — On input £, g5 g 
computing g. 
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nm that solves the computational Diffie-Hellman problem is a 
n algorithm omial time Turing machine, on input g, g*, g, outputs gY 
ilistic sal de probability. Computational Diffie-Hellman assumption 
i on-negllé! is no such a probabilistic polynomial time Turing machine. 
we hat one is believed to be true for many cyclic groups, such as the 


This ee of the multiplicative group of finite fields. 
rime sub-gt dering useful variations of Diffie-Hellman problem like square 


d decisional Diffie-Hellman problem, inverse computational 
ffie-Hellman problem and divisible computational Diffie- 


We are cons! 
ytational ane 
nd decisional Di 

Hellman probe ional Diffie-Hell bl 

0 25, Write short note on the square computational Diffie-Hellman problem. 


Ants. Square Com 
4 pren that solves the square computational Diffie-Hellman problem 

me bist polynomial time Turing machine, on input g, g*, outputs ox? 
ae 3 egligible probability. Square computational Diffie-Hellman 
with a on that there is no such a probabilistic polynomial time Turing 
cai Fortunately, we are able to argue that the SCDH assumption and 
CDH assumption are equivalent. 

SCDH <= CDH 


Proof — Given an oracle Aj, on input g, g*, g”, outputs g*Y, we want to 
show that there exists an algorithm Ao, on input g*, outputs g*“. Given a random 
value u := gr, we choose ti, tz € Zq at random, and compute u, = ut! = g", and 
w= ut2 = g"2, Therefore we are able to compute v = A; (u, Uy) = g'!'2 with 
non-negligible probability. It follows that g? can be computed from v, t}, t; 
immediately with same advantage. 


CDH < SCDH 
: . 2 
Proof — Given an oracle Ao, on input g, g*, outputs g*“, we want to 
show that there exists an algorithm A}, on input g, g*, g’, outputs g%. Now 
given g‘, we choose s4, s>, t}, tz € Z, at random and compute vi : = A2(g**!) 


4 RA ae; 5 NEN) = g(ys2)2_ Finally, we compute vs := Ao(g*51"l + ¥2!2) = 
2t2)2 


putational Diffie-Hellman problem (SCDH), on input g, 


fn Since s}, S2, t|, ty are known already, it follows that g% can be computed 
OM Vi, Vay V3, 81, S> t|, ty immediately with same advantage. 


2.26. Discuss about the inverse computational Diffie-Hellman problem. 


Ans. Inverse computational Diffie-Hellman problem (InvCDH), on input 
8 £, Outputs gl 


A : : š 
Problem algorithm that solves the inverse computational Diffie-Hellman 


- : x 
'S a probabilistic polynomial time Turing machine, on input £, 8 > 
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ipi ili ISe. C i umption, we are given a computational Diffie-Hellman oracle 
outputs p` | with non-negligible probability, Inverse COMPUtationg) f yynss 
Hellman assumption means that there is no such a probabilistic 


are able to construct an InvCDH oracle A Viewing 
Pol Š. It fen seque Lin v= gy”, Finally, one views B, 8%, vas ae to Ka 
' + ` ` ` ` ` iy} 15 a š 'b. Š 0 
lime Turing machine, Fortunately, we are able lo argue that the Sci yet (0 Ay 09 I 
assumption and InyCDH assumption are also equivalent, Jl n 


InvCDH <= SCDH 


Proof — Given an oracle A}, on input g, g*, outputs gs? We want t, 
that there exists an algorithm As, on input gS, outputs ge!) Given q r Shoy, 
value g", we set hy — gh and hy — g, Finally, we New (b p hy) 
oracle Ay to obtain Ag(hy, hy) = gr 7. It follows that g' 
Ax immediately with same advantage. 

SCDH < InvCDH 


Proof — Given an oracle Ay, on input g, p, outputs ev! 
that there exists an algorithm A), on input g, g3, outputs p`". Now given 
We set hy © g! and h? <— p. Finally, we view (hy, h3) as an input to the o> 


© Orach mee andom quadruple g, g*, gy and pr, where x, y, reZ 
; pyr) Y 2 acl a random q [ ; y. 
Ay to obtain As(hi, hy) = Aale, (g")™). It follows that g can be compute _ (ii) Given Te 
from As with the same advantage, 


n strings chosen uniformly at random. 
me igorithm that solves the Decisional Diffie-Hellman problem is a 
i e pa that can efficiently distinguish these two distributions. Decisional 
ee Ilman assumption means that there is no such a polynomial statistical 
aie assumption is believed to be true for many cyclic groups, such as the 
a sub-group of the multiplicative group of finite fields. 


Square decisional Diffie-Hellman assumption (SDDH) — Let G bea large 


cyclic group of prime order q defined in Q.24. We consider the following two 
distributions — 


ppitin Ë ' ye the fact that if the underlying group with 
+ pro omputational Diffie-Hellman problem are eq 
; c Š 

won — InvCDH @ DCDH. 

o scl Explain the variation of decisional Diffie-Hellman problem, 
28. EX 


scisional Diffie-Hellman assumption (DDH) — Let G beal 
ns. af prime order q defined in Q.24, We consider the followin 
group 


prime order q, all 
uivalent, i.e., CDH 


‘Orang 

as an input to 

can be COMPuted fr 
: 0 


t 


n arge 


g two 
clic Bë’ s 
"(butions — 
ae Given a Diffie-Hellman quadruple g, g*, g and gx, where x ye 


; re random strings chosen uniformly at random. 
a 
ú 


q are 


Q.27. Discuss on the divisible computational Diffie- 

Ans. Divisible computation Diffie- 
on random input g, g%, gy, computing g 
computation Diffie-Hellman problem. 

An algorithm that solves the divisible co 
problem is a probabilistic polynomial time Turin 
outputs g% with non-negligible probability. 
Hellman assumption means that there is no s 
time Turing machine. As desired, we are 
computational Diffie-Hellman assumption is 
Diffie-Hellman assumption — 

CDH <= DCDH 


Proof — Suppose we are 


Hellman Problem, 
Hellman problem (DCDH Probier 
`, We refer this oracle to as divisional 


mputational Diffie-Hellman 
g machine, on input g. ps, 
Divisible computation Diffie- 
uch a probabilistic polynomial 
able to show that divisible 


, (i) Given a square Diffie-Hellman triple g, g* and gr, where x € Zy 
equivalent to computational 


isa random string chosen uniformly at random. 


(ii) Given a random triple g, g* and gr, where x, r € Zo are two 
random strings chosen uniformly at random. 
given an divisible computation Diffie-Hellman 
oracle denoted by A,, on input g, gx, gy, outputs gx. We want to show tha 
there exists an algorithm A}, on input g, g", gY, outputs gY. Given g, g*, g, w° 
choose s;, s>, t, t € Z, at random, and compute vi := A,(g, (g*)š1, 952) = gl, 
v> = AA(g, g", (gy) = gto) Finally, we compute v := A3(¥1, V2) = gerd, 


Since s4, s>, t}, t, are known already, it follows that gY can be computed from 


V, Si» S2, ty, t> immediately with same advantage. 
DCDH = CDH 


An algorithm that solves the square decisional Diffie-Hellman problem 
(SDDH for short) is a statistical test that can efficiently distinguish these two 


distributions, Square decisional Diffie-Hellman assumption means that there 
no such a polynomial statistical test 


Inverse decisional Diffie-Hellman assumption (InvDDH) - Let G be a 
a cyclic Soup of prime order q defined in Q.24. We consider the following 
two distributions — 


i) Gi 1 
Zw is (i) Given a inverse Diffie-Hellman triple g, g* and g* , where x € 
' random string chosen uniformly at random. 


strin (ii) Given a random triple g, g* and g', where x, r € Z, are random 
ES chosen uniformly at random. 


Proof — Suppose we are given an computational Diffie-Hellman aa 
A}, on input g, g*, g, it outputs g, We want to show that there i 
algorithm A4, on input g, g*, g”, outputs gx, Suppose we are given a triple 
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Ken BY 
| qe ll and 2, 
solves the inverse decisional Diffie-llel|yyy vay Here 
An algorithm that solves the inverse pais | A p Hellman Iobh (iii) He z3 k=, X4 =6 (from above) 
(InvDDH for short) is a statistical test that can efficiently distinguish w yy = 3, sia 
two distributions, Inverse decisional Diffie-Hellman assumption Mean a jing t0 piffie-Hellman scheme, 
ial statistic p I 
there is no such a polynomial statistical test, | Nal accor ba (yp) mod q 
Divisible decision Diffie-Hellman assumption (DDDH) — Let G beaj = (3)° mod JI 
cyclic group of prime order q defined in Q.24, We consider the followin He ines 
distributions — 9 = (729) mo = 
(i) Given a divisible Diffie-Hellman quadruple Ë, 8%, B ang ah shared secret key k =3, Ans. 
where x, y € Zo, are random strings chosen uniformly at random, ; Thus, the 


(ii) Given a random quadruple g, g* and gY and g", where x 
are random strings chosen uniformly at random. 
An algorithm that solves the divisible decision Diffie-Hellman Proble 
(DDDH for short) is a statistical test that can efficiently distinguish t m 


2, Consider 4 Diffie-Hellman scheme with a common prime 
y a primitive root a= 2, sapien , 
g da If user A has public key Y = 9, what is A private key X 43 
A Jfuser B has public key Yg = 3, what is the shared secret key? 
ii 


yr 
ez, 


hese { 
ae ate . I Wo 
distributions. Divisive decision Diffie-Hellman assumption means t 

is no such a polynomial statistical test. 


NU ER CAL PROBLEMS 


nper 


Prob.1. For a Diffie-Hellman scheme with a common prime q = llan F 


a primitive root a=2 — 
(i) Show that 2 is a primitive root of 11. . 
(ii) If user A has public key Y} = 9, what is A’s private key X,? 
(iii) If user B has public key Yș = 3, what is shared secret key K, 
shared with A ? (R.GPV., June 2010) 
Sol. (i) We know that, a primitive root of a prime number p is one whose 
powers generate all the integers from 1 to P — 1. That is if 2 (a) is primitive root 
of prime number 11 (p), then the numbers 2 mod 11, 22 mod 11, se... 211-1 
mod 1] are distinct and consist of the integers from 1 through 10. 
(ii) Here q=1landa=2 
Ya=9, X,=? 
According to Diffie-Hellman scheme, 


rye 


YA = a*^ mod q 
9= 2XA mod 11 
Solving the above equation, we get 
9= 26 mod 11 
s XA = 6 
Thus A’s private key X4 = 6. 


hat there 


(R.GP.V., June 2005) 
Sol. Refer to Prob.1 (ii) and (iii). 


b.3. Briefly explain Diffie-Hellman key exchange. The Diffie- 
pane exchange is being used to establish a secret key between ‘A’ 
Hellma 


ds with (543). A’s secret number, 
pr, ‘A’ sends B (719, 3, 1 91), B respon 
w What is the secret key ? (R.GP.V., Dec. 2006) 
Sol. Diffie-Hellman Key Exchange Algorithm — Refer to Q.20. ; 
In the given problem, f 
a=3,q= 191 
X, = 16 Xp = Not known 
Y, 719 Yp = 543 


Acan calculate the secret key as below, 


k = (Yg)*4 mod q = (543)!6 mod 191 
Now, according to modular arithmetic we can proceed as follows — 
k = [(543)8 mod 191 x (543)8 mod 191] mod 191 
Now (543)® mod 191 = [(543) mod 191 x (543)* mod 191] mod 191 
Now (543)4 mod 191 = (543)? mod 191 x (543)? mod 191] mod 191 
Now (543)? mod 191 = (294849) mod 191 = 136 


Thus (543)* mod 191 = (136 x 136) mod 191 
= (18496) mod 191 = 160 
Now (543) mod 191 = (160 x 160) mod 191 
= (25600) mod 191 = 6 
Ply (543)!6 mod 191 = (6 x 6) mod 191 = 36 mod 191 = 36 | 
‘Thus, the secret key k =36 oe oe Ans. 


| 
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Prob.4. Users A and B use the Diffie-Hellman key exchang 


, e 

a common prime q = 71 and a primitive root a= 7 “chia, 
(i) If user A has private key X4 = 5, what is A’s public 
(ii) If user B has private key Xp = 12, what is B's pub 


(c) Calculate, the Euler totient function (n 
(p-1)(-)) 
(d) Select integer e such that 


) where $(n) = 
key y 


lie k y H , e)= 1 
(RGP V, June? ged (0(n), e) 
Sol. Given that, q = 71, a = 7, Xa =5, Xp" 12, 2014 ) 2e< 400) 
(i) A computes Y , = 75 mod 71 fs r iaie d. auch that 


(A's public key) Y, = 51 i 
(ii) B computes Yp = 7!2 mod 71 Ny, 
(B's public key) Yp = 3 


[RSA ASSUMPTIONS & CRYPTOSYSTEM, RSA SIGNA Oo 


SCHNORR IDENTIFICATION SCHEMES, PRIMALITY TESTING 


d = e! mod (4(n)) 
ed = 1 mod $(n) 
(f) Now, the public key, KU = (e, n} 
and, the private key, KR = {d, n} 


ii Encryption — Let the plaintext be M such that M <n then, 

Ciphertext, C = M° mod n 

0.29, Explain the RSA algorithm with an example. 
Or 

Write short note on RSA encryption algorithm, 


(RGR, June 2006, 


) (iii) Decryption- Given, ciphertext C then, 
Plaintext, M = C4 mod n 
Example — Key generation — 
(a) Select two prime numbers 
p=17andq=11 


May 201 
a y 208) 
Write down RSA algorithm, Explain with the help of an example, 
(R.GPY., Dee, 2006) 


(Usually large values must be selected) 
Or 
=pq=17x1]=187 
Write short note on RSA algorithm, (R.GPV, June 2008) (b) Calculate n = pq = 17 
Or a 


(e) Calculate $(n) = (p— 1) (q — 1) = 16 x 10 = 160. 
Write a short note on RSA. (R.GPY., June 2015) 
Ans. RSA, named after its three creators - Rivest, Shamir and Adleman, 
was the first effective public key algorithm and for years have withstood intense 
scrutiny by cryptanalysis all over the world, 

RSA relics on the fact that it is eas 
together, but 
the result, 


Jess than 4(n), we choose e = 7. 
(e) Determine d such that 


de = 1 mod 160 and d < 160, 
The correct value is d = 23 


(f) The resulting keys are — 
Public key, KU = {e, n} = {7, 187} 


and Private key, KR = (d, n} = 123, 187} 
Eneryption = 


Let plaintext, M = 88 then 


Ciphertext, C = 887 mod 187 = 11 
Decryption = 


To decrypt calculate, M = 1123 mod 187 = 88 


y to multiply two large prime numbers 
extremely hard (e, time consuming) to factor them back from 


The KSA scheme is a block cipher in which the plaintext and ciphers 
are integers between O and n — J for some n, whose typical size is 1024 bits, 
The KSA algorithm is as follows — 


) Key Generatlon = 


(a) Sela two very large prime numbers, normally of 4 
lengh, Nt them be denoted by p and g respectively but p Z q, 
(b) Calculate, neepa 


(d) Select e, such that e is relatively prime to $(n) = 160 and 
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tant Exponentiation Time — Ensure that all exponentiations 


0.30. Discuss about the security of RSA, f time before returning a result. This is a simple fix but 


Ans. Three possible approaches to attacking the RSA 
follows — 


Cons: 
mount o 
rake the ai performance: I 

cgra do Delay — Better performance could be achieved by 
(ii eii to the exponentiation algorithm to confuse the timing 
ara om ints out that if defenders don’t add enough noise, attackers 
addin’ ut Kocher > collecting additional measurements to compensate for 


algorithm N 
t 


(i) Brute Force — This involves trying all possible Privat š 
e 


ke 
(ii) Mathematical Attacks — There are several a i 


. š < ` í Proa 
equivalent in effect to factoring the product of two primes, Ches, i 


(iii) Timing Attacks — These depend on the running time i 
0 the 


decryption algorithm. =) Blinding — Multiply the ciphertext by a random number before 


The defence against the brute force attack is the same for RS tiation. This process prevents the attacker from knowing 


other cryptosystems i.e., use a large key space. Thus, the larger the numb, Or perform ne bits are being processed inside the computer and therefore 
bits in e and d, the better. But, the problem is larger the size of the is what a a bit-by-bit analysis essential to the timing attack. 
slower the system will run. hef reven 


Data Security incorporates a blinding feature into some ofits products 
a 

rE to 10% performance penalty. f 
but ee 31. Explain factoring problem in RSA. (R.GP.V., June 2016) 


Ans. Refer to Q.30- 

0.32. Explain why the security of RSA depends on the difficulty of 
factoring large numbers ? (R.GP.V, Dec. 2008) 
Ans. Refer to Q.30. 

0.33. What are the performance factor of RSA algorithm ? 

Ans. The performance factor of RSA algorithm are — 


The Factoring Problem — We can identify the three a 
attacking RSA mathematically — 
(i) Factor n into its two prime factors. This enables calcula 
(n), which in tum enables determination of d = e-! mod (n). 
(ii) Determine ó (n) directly, without first determining p and q; Again, 
this enables determination of d = e! mod %(n). u 
(iii) Determine d directly, without first determining $(n). 
Thus, it is clear that the security of RSA depends on the ability of the 
hacker to factorize numbers. 


PProaches to 


tion of 


In August 1999, a specific assessment of the security of 512-bit RSA 
showed that one may be factored for less than $ 1,000,000 in cost and eight 
months of effort. Thus, we need to be careful in choosing key size for RSA. 
For near future, a key size in the range of 1024 to 2048 bits seems reasonable. 
For instance an Intel Paragon, which can achieve 50,000 MIPS would takea 
million years to factor a 2048-bit key using current techniques. 


(i) Time Complexity — Both encryption and decryption involve 
repeated multiplications of b-bit numbers. Unoptimized multiplication of two 
b-bit numbers and reduction modulo n, both take O(b2) time. The encryption 
key is usually a small integer. So encryption involves a small, constant number 
ofmodulo n multiplications. Hence, the time complexity of encryption is O(b?). 


Decryption, on the other hand, involves raising a b-bit number to the power 
of d. A naive implementation of decryption thus involves d multiplications. Since 
dis of the same order as n, the complexity of a decryption operation is O(nb2). 


Timing Attacks — Paul Kocher, a cryptographic consultant, demonstrated 
that a snooper can determine a private key by keeping track of how longa 
computer takes to decipher messages. Timing attacks are applicable not justto 
RSA, but to other public-key cryptography systems. This attack is alarming 
for two reasons — It comes from a completely unexpected direction and it's# 
ciphertext only attack. 


A timing attack is somewhat analogous to a burglar guessing iÉ 
combination of a safe by observing how long it takes for someone to tum 
dial from number to number. 


Although the timing attack is a serious threat, there are some count 
measures that can be used — 


_ (i) Speeding Up RSA — Decryption of ciphertext c is speed up by 
computing c, c2, c4, c8 etc., up to a maximum of b terms. Each element in the 
ties the square of the preceding element. Then we multiply elements in 
the Pigs Positions correspond to 1’s in the binary representation of 
so the he ion key d. Ofcourse, each multiplication is a modulo n multiplication 

ntermediate products are never more than b bits wide. This approach, 


which first ' “ 
and mullip" es ai followed by products, is referred to as “square 
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ty faking this signature in one way or another is equivalent to 
A poren An outside party can however choose a signature u by taking w 
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In general, decryption involves b-1 square operations and at 


iplications. Also. cach square operatio inlicating : Ë j : š 
multiplication i x q i xp multiplication is follow, by King sas the message, Such a message does not contain any information, 
a reduction modulo n. sens the time for decryption is O(b%) _ dy pr mod" nis does not work if an one-way hash function h is used. In that 
considerably slower than O(b*) time necessary for encryption this N z(t syen thi 


oE Nñ „h)an 
a k 7 (n. ë NO = (w,(h(w), mod n)) and vk (w, u) 


CORRECT, if h(w)=u? mod n 
~ | FALSE otherwise 


The choice of key size represents a trade-off between bows 
performance. A large key size provides greater security, but the aswa Ya 
encryption and decryption increase. The asymptotic complexities tell a 
doubling the key size increases the time for encryption by, roughly, a ia a 
4, while the time for decryption increases by a factor of 8. SCOT of 


Be 


an also be used to get a so-called blind signature. If A wishes to sign 


(iii) Software Performance — The Java Programming — RSA ° w of B, without knowing its content, the procedure is the following- 
a number of APIs of relevance to cryptography. These include APIs i has a p chooses a random number / such that gcd(/, n) = 1, computes the 
generation and encryption/decryption, message digests and digital Gea k = (Pw, mod n) and sends it to A. 

oe . . . rte . 

These are contained in the Java security package and its various subpacka,. ube ii) A computes the signature u' = (tP, mod n) as if the message would 
Java also permits the import of classes created by various third parties a yla tto B' 
implement cryptographic algacithms. An example. of third party is Bouts me ii) B computes the number u = (tut, mod n). 
Castle. Bouncy Castle cryptographic APIs are available for use in both Java . t know the number /, he/she does not get any information 
and C++ programs. An example of the use of the Java APIs for key generation, Because A does not , getany 


encryption and decryption is shown in fig, 2.8 shout the message w. On the other hand, u is the correct signature of the message 


s: w, since 
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "BC"); , 


kpg.initialize(1024); 
KeyPair kp = kpg.generateKeyPair( ); 
Cipher C = Cipher.getInstance ("“RSA/ECB/PKCS1 Padding", "BC"); ' 


Hu' = Pe = Flpbwb = Flay? = wb mod n. 

0.35. Define the RSA digital signature scheme and compare it to the 
RSA cryptosystem. - ° Á. ' 

Ans. When the concept of RSA is used for signing and verifying a message 
itis called RSA digital signature scheme. The digital signature scheme changes 
the roles of the private and public keys. The private and public keys of the 
sender are used. The sender uses her own private key to sign the document, 
the receiver uses the sender’s public key to verify it. If we compare the scheme 
with the conventional way of signing, we see that the private key plays the role 
of the sender’s own signature, the sender’s public key plays the role of the 
copy of the signature that is available to public. Obviously John cannot use 


String plainText = "Hello World"; 
c.init(Cipher ENCRYPT_MODE, kp.getPublic( )); 
byte] ] encryptedText = c.doFinal(plainText.getBytes( ); 


c.init(Cipher DECRYPT_MODE, kp.getPrivate( )); 
byte[ | decryptedText = c.doFinal(encryptedText); 
String recoveredText = new String (decryptedText); 


Fig. 2.8 Illustrating Java APIs for RSA Encryption/Decryption 


j + a BE =, ` John's ` 
a í ohn Private Key . Private Key illi ` 
0.34. Write short note on RSA signatures. (Signer) (d, n) ee oe a 


Ans. A signature system is obtained from RSA by defining — 


k, = (n, b) and k, = (n, a), 
and sk (w) = (w,(wP, mod n)) and vk (w, u) 


<-.-.-...........2 


Verifying 


_ JCORRECT, if w=u* mod n 
FALSE otherwise 


aut ieee, ee wy 
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— U Ef 
at ie 18 ale fier zero-knowledge proof 
iris we of Ws the aue aF ifi ti ë protocol is only honest. 
do the same. The signing and verifying sites use the same function b wie ge 9 gifa dishonest verifier chooses the challenge ç in a non- 
different parameters. The verifier compares the message and the output. it $ ZK. peca ;cularly dependent on the first message x) we are not able to 
function for congruence. The message is accepted, if the result is true Ë i jhe arti 
RSA digital signature scheme is shown in fig. 2.9. -Th 


96 Cryptography & Information Security 


William’s public key to sign the message because then any other person 
On ¢ 


mer, seraction. ; ae 
ndo peinte chnorr scheme is secure against impersonation, under 


Fld e assumption that discrete logarithm is secure under 


Key Generation — Key generation is exactly the same as in the Re 
cryptosystem. John selects two primes p and q and calculates n = p xq ie Ç sion in the underlying group. 
calculates $(n) = (p - 1) (q — 1). Then, he selects e the public exponer. con inve" ; identificati 
t rr ident 
calculates d the private exponent such that e x d = 1 mod $(n). John i ang | one fain the hatching Schno Micaton:schenie 
he publicly announces n and e. moe 0 naive generalization of Schnorr's scheme would be to do the 
Signing — John creates a signature out of the message using her Priv Ans. ye authentication of d identities by composing d rounds in parallel, 
exponent, 5 = Md mod n and sends the message and the signature to Willian sa r ds the prover would send — d ayen and the verifier 
. be . e ; — one per identity. Note that this s 
Verifying — William receives M and S. William applies John’s . {in oe y with d challenges P : pá . cheme hasa 
Public | ould rep computation cost that is d times the cost of Schnorr’s 


ynication and comput 

e. A possible improvement would be to use the same challenge 
original schem d apply batch verification techniques to the last verification 
for all awa eee improvements, the communication and computation cost 
step. - i sclispme would still be higher by a factor of d (the prover would 
Pie to send and compute-d commitments). 
sti We propose a more efficient scheme where the prover sends one 
commitment and the verifier sends one challenge across all identities. The 
prover’s response is generalized from a degree one polynomial to a degree d 
polynomial formed from the d secret keys. We are able to show that the resulting 
scheme is sound and further that it is secure against impersonation under 
concurrent attacks. We present two theorems that demonstrate that the new 
scheme is an honest-verifier zero knowledge proof of knowledge and also a 


secure identification against impersonation under concurrent attacks. 


exponent to the signature to create a copy of the message M' = se mod n 
William compares the value of M' with the value of M. William accepts the 


message if the two values are congurent. 

0.36. Explain the term Schnorr’s identification scheme, 

Ans. Let p and q be two primes such that q | p — 1 and |q| = n. Let ZHI be 
an element of order q in re Let G. be the subgroup generated by g. The 
integers p, q, g are known and can be common to a group of users. 

An identity consists of a private/public key pair. The private key w isa 
random non-negative integer less than q. The public key is computed as y=g* 
mod p. The protocol is described in fig. 2.10. 


Schnorr 


Common Input - p, q, g, y. A security parameter t. 
Secret Input for the Prover — w € Za such that y = g-¥ mod p. 
(i) Commitment by Prover. Prover picks r Ep Zq and sends x = gr mod p to the Verifier. 


The parameters are very similar to Schnorr. Let p and q be two primes 
Sich thatq|p— 1. Let g 1 be an element of order q in Zy- The integers p, q, 
ate public and can be common to a group of users. 

yi Mente identities, each consisting of a private/public key pair indexed 
random. The spo a non-negative integers less than q, chosen uniformly 

The Prover Hia ys are computed as i =gwi mod p. | 

es the protocol by sending over the list of public keys yi 


Or which it ees 
escribeg “pa — the corresponding private keys w;. The protocol 


x= E 
£ Verifier 


Prover 


(ii) Challenge from Verifier. Verifier picks a number e ep [1...2t] and sends it to the Prover. 


e 
Prover ——— Werifier 


(iii) Response from Prover. Prover computes s = r + w.e mod q and sends it to the Verlfler 


s=rt+we 


Verifier 


Prover 
The Verifier checks that x = g’.y* mod p and accepts if and only if equality holds. 


git, Fig. 2.10 Schnorr’s Protocol 
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Batch-Schnorr 


Common Input — p. q. 2. 91) —— Ya: À security parameter t. 
Secret Input for the Prover — wi € Za such that yy = g“i mod p. 
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NUMERICAL PROBLEMS 


perform encryption and decryption using the RSA algorithm 


G) Commitment by Prover. Prover picks r ER Zq and sends x =g" mod p to the Verin, | Pr ob.5. ing data — 
= low! i 
ee: eee t ie he fol 1° JI (p and q are prime numbers) 
p. 3, = $ (I— encryption key, m — message) 
(ü) Challenge from verifier. Verifier picks a number e Ep [1...2(t + log d) and sewa [= 7, m (R.GP. K, Dec. 2005) 
the Prover. “Itty rep = 3, =|l,e=/=7, m=5, d=? 
Prover ————— Verifier sol. Ja pxq= 3x 11=33 
Here 0(n)= (p-1)(q-1)=2x10=20 
(iii) Response from Prover. Prover computes s =r + Tw; mod q and sends itt ait find d 
Verifier. ee cial First ole ed= 1 mod (n) 
Prover ———— e Verifier | 7 x d= 1 mod 20 
' : d= 3 
e Verifier checks that x = g*. Thy?" mod p and accepts if and only if equality holds, i ayp the message m = 5 
S nc’ 
: Re C = m (mod n) = 57 mod 33 
Fig. 2.11 Batch Version of Schnorr’s Protocol we use = 78125 mod 33 = 14 


0.38. Write short note on primality testing. 


Ans. A primality test is simply an algorithm that tests, either 
probabilistically or deterministically, whether or not a given input number is 
prime. A general primality test does not provide us with a prime factorization 
of a number not found to be prime, but simply labels it as composite. In 
cryptography, for example, we often need the generation of large Primes and 
one technique for this is to pick a random number of requisite size and determine 
if it’s prime. The larger the number, the greater will be the time required to tes 
this and this is what prompts us to search for efficient primality tests that ar 
polynomial in complexity. Note that the desired complexity is logarithmic in 
the number itself and hence polynomial in its bit-size as a number.n requires 
O(log n) bits for its binary representation. gta 


There are some primality tests which conclusively determine whether! 
number is prime or composite and are therefore deterministic, while othes 
such as the Fermat and the Miller-Rabin tests, despite correctly classifying” 
prime numbers, may allow some some composites to filter through, incorrect 
labelling them as primes or probably primes, and this makes these Fi; 
probabilistic. There are usually four criteria which we look for in an wee 
primality testing algorithm, it must be general, unconditional, determi 


and polynomial in complexity. 


After encryption m = 5 becomes C = 14. 
Now performing the decryption we get 
j C= 14, 
To get back the plain text M, we use 
o M = Ci (mod n) = 14 mod 33 
= 2744 mod 33 = 5 
which is same as the given M. 
Hence, the process is correct. 


Prob.6. In RSA encryption method, if the prime numbers p and q are 3 
and 7 respectively, the encryption exponent e is 11, find the following — 
(i) The least positive decryption exponent d 
i (ii) Public and private key 
(tii) Ciphertext when the plaintext P is encrypted using the public key. 
(R.GP.V., Dec. 2007) 


meee, two prime numbers p=3,q=7ande=1l 
N=pq=3x7=21 


$(n) = (p— 1) (q-1)=2x6=12 


() demod 4(n) = | 
= < 
The Correct Value of d is RR 
Thus, qe yy” UE = 121 = 10 x 12-41 - .. 
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(ii) Public key KU = {e, n} = (11, 21} 
Private key KR = {d, n} = {11, 21} 
(iii) CiphertextC = p*(mod n) = p''(mod 21) 


Prob.7. Explain the RSA algorithm. Using the RSA Publi 
cryptography with z= 1, y = 2, X = 3..., a= 26 and p=5,q=7, andd we ie 
e and encrypt ‘fedcba’. (R.GPV, June BF 

) 


Sol. RSA Algorithm — Refer to Q.29. 
Given, p= 5,q=7,andd=5 
Then 
(i) n=pq=5x7=35 
Gi) o(n) =(p—1) (q-1I) =4*6=24 
(iii) Determine e such that d x e = 1 mod $(n) 
i.e., 5 x e=1 mod 24 and e < 24 
The correct value of e is 5. 


The resulting keys are public key KU = {5, 35} and private key 


KR = {5, 35}. 


Fig. 2.12 shows the encryption of the plaintext “fedcba’. 
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C, for a plaintext message, P, is given by e = ps 


' . rtext, ’ ` a mod 
ye art is decrypted by the receiver according to the rule P = cn 
. [a 
cp 
(nd Vg 3 shows the encryption of the plaintext “SIR”, 
ig: 2. plaintext Ciphertext (C) After Decryption 
je Numeric pS PS5(mod119) C7? C77 (mod 119) Symboli 
SO g 2476099 66 6677 19 I 
S 9 59049 25 2577 9 i 
1889568 86 8677 18 Ë 


I 
18 
ss 1 
der’s computation i 
Sen Receiver's computation 


Fig. 2.13 An Example of RSA Algorithm 


prob.9. What do you mean by RSA algorithms ? In a public-key system 
. g RSA, YOu intercept the ciphertext C = 11 sent to a user whose public- 
a ,=7, n = 3. What is the plaintext M ? (R.GP.V., June 2009) 
ke) sol. RSA Algorithm — Refer to Q.29. 
Given, C= 11, € = 7, and n = 33. 


Aswe know that n=pq 


Plaintext (P) Ciphertext (C) After Decryption 33 = pq then p and q are 3 and 11 
Symbolic Numeric PŠ P5(mod 35) c5 C5(mod35) Symbolic $n) = (p— 1) (q- 1) =2 x 10=20 
6 7776 6 7776 6 f = 
e 5 3125 10 100000 5 e de = 1 mod 0(n) 
d 4 1024 9 59049 4 d d7 = 1 mod 20 
c 3 243 33 39135393 3 c d=3 
N 1. a P a n Now the plaintext M for the ciphertext C = 11 is 
=Ci =113 
Sender’s Computation - P M=C* mod n = 11° mod 33 
Receiver’s Computation M = 1331 mod 33 = 11 Ans. 
Fig. 2.12 i Prob.10. Explai 2 
. 10. ain RSA al i i i 
Prob.8. What are the main features of RSA algorithms ? If p =7andq=1,) following — P algorithm and using this algorithm encrypt the 
then calculate value of e and d and also encrypt SIR. (R.GP.V., Dec. 2009) “O p=3,4=1,e=7,M=5 (ip ; g or 
, , — fs = = s = , e= , = 
Sol. RSA Algorithm — Refer to Q.29. ee (R GCD Tuna 208) 


Given, p = 7 and q = 17 
n=pxq=7x17=119 


(n) =(p— 1) (q— 1) =6 « 16 = 96 


Now we select e such that e is relatively prime to (n) = 96 an 


(n). We choose e = 5 
Now de = 1 mod 96 
5d = 1 mod 96 


Then d = 77 since 5 x 77=385 =4 x 96 + 1°" 


Sol RSA Algorithm — Refer to Q.29. 
(i) Refer to Prob.5, 
(ii) Here p= 7, q= 1l,e=17,M=8. 
Í n=pxq=7x11=77 
Then, = (P= 1) x (q— 1) =6 x 10= 60 
ed = 1 mod (n) 


d less that 
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Now, encrypt the message M=8 p ! | 
Las k: = M° iol per forming the decryption to get back the plaintext m, we use 
= 8!7 mod 77 y per m = C(mod n) = (106)'! mod 143 


m = [(106)* mod 143 x (106)4 mod 143 x (106)2 
143 x 106] mod 143 


m = [3 x 3 x 82 x 106] mod 143 


m=7 Ans. 


= ((84 mod 77) x (84 mod 77) x (84 x mod 77) mod 


(84 mod 77) (8! mod 77)) mod 77 
=(15 x 15 x 15 x 15 x 8) mod 77 
= 405000 mod 77 = 57 


: . I Ans, „ame as the given m. 
Prob.11. Perform encryption and decryption using the RSA algor; which js $4 ai ia . i 
for the following — És: prob.1 2, Perform < "e i : 5) go using RSA algorithm — 
(i) p=17,q=31,e=7,m=2 G) p= 1, q=13,e=N, n=, g 9451 e= m= (ii) p= Il, q = 13, €=17,m=8 
. (R.GP.V., May 2019) 


Prob.5. 
11,q=13,e=17,m=8 
n=pxq=ll x 13 = 143 
o(n) = (p— 1) x(q- 1)=10 x 12= 120 
ed = 1 mod $(n) 
17x d= 1 mod 120 
Then 17d must be 121, 241, 361, 481, etc. 


(R.GP.V, D 
ec. 2003) sol. (i) Refer to 


(ii) Here p = 


Sol. (i) Here p=17,q=31,e=7,m=2 
Here n =p X q = 17 x 31 = 527 
We know that $(n) = (p — 1) (q — 1) = 16 x 30 = 480 
Then, ed = 1 mod $(n) 

7x d = 1 mod 480 
Then 7d must be 481, 961, 1441, 1921, etc. 
Dividing each of these in tum by 7 to see which is divisible by 7, we get 


Then 


= = 343 Dividing each of these in turn by 17 to see which is divisible by 17, we get 
Thus, d= 343 - Sis | 
Now, H jz 
Supertext C=m‘modn bolas I 
=27 mod 527 Now, encrypt the message m = 8 
= 128 mod 527 = 128 Cai modi: ., 
And, 343 = 8!7 mod 143 
Plaintext m = 128 mod 527 =2 Ans. = [(8* mod 143) x (84 mod 143) x (84 mod 143) 
(ii) Here p= 11, q=13,e=11,m=7 x (84 mod 143) x (8! mod 143)] mod 143 
Pe = (92 x 92 x 92 x 92 x 8) mod 143 
=11 x 13=143 = 573114368 = 
We know that mod 143 = 112 Ans. 
=(= = E ⁄ x 
k an A | poms CURVE OVER THE REALS, ELLIPTIC CURVE 
amen ¿=i maq KG e RIME, CHINESE REMAINDER THEOREM ° ` 
11d = 1 mod 120 2.39. What is or 
d=1l curve that lie oe ssi curve ? What is sum of three points on an elliptic 
Straight line ? (R.G P.V,, Dec. 2003, June 2004) 


To encrypt the message m = 7. 
We use following formula 
C = m°(mod n) = (7)!! mod 143 = 106 


What is Or 
an elling 
iptic curve and what is zero point on elliptic curve ? 
òf cs x  (R.GP.V, June 2013 


` ° ' 
baa > 


Ee 
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Anelliptic curve is a set of poin 


form ; Š 
y? + axy + by= xX + cx tdx+e 


e are real numbers, and x and y take on values in th 
tis suflicient to limit ourselves to equation oies ‘ 
yr=x? tax +b Om 

è Such equation is said to be cubic, or of degree 3. Also included ga 
definition of an elliptic curve is a single element denottd by O and called h 

point at infinity or the zero point. To plot such a curve, we have to compute 


y= Jx? +ax+b 


For given values of a and b, the plot consists of positive and Negative 
values of y for each value of x. Thus, each curve is symmetric about y = 0. 
Now, consider the set of points E (a, b) consisting of all of the points (x, y) 
that satisfy equation (i) together with the element O. Using a different value of 
the pair (a, b) results in a different set E (a, b). 
A group can be defined based on the set E (a, b) provided that x? + ax +4 
has no repeated factors. This is equivalent to the condition 
4a3 + 27b? + 0 (i) 
Now we define an operation, called addition and denoted by +, for the set 
E(a, b) where a and b satisfy equation (ii). The rules for addition can be stated 
as follows — if three points on an elliptic curve lie on a straight line, their sum 
is O. By this definition, the rules of addition can be defined over an elliptic 


Information Security 


ts on the coordinate plane sar; 
ANE Saticn . 

Ans. "Slip, 

an equation of the 


g 


where a, b, c, d and ; 
numbers. For our purpose, 1 


curve as follows — ' 
(i) O serves as the additive identity, Thus O = — O. For any point P 
on the elliptic curve, P+ O = P. In what follows, we assume P+#O and Q#0. 
(ii) The negative of a point P is the point with the same x coordinate 
but the negative of the y coordinate [i.e., if P = (x, y), then — P = (x, - y)]- Itis 
noted that P + (- P)=P-P=0. 
(iii) To add two points P and Q with different x coordinates, draw 
straight line between them and find the third point of intersection R i.e. 4 
unique point of intersection (unless the line is tangent to the curve at either? 
or Q, in which case we consider R = P or R= Q, respectively). To form a group 
structure, we need to define addition on these three points as follows ~ 
P+Q=-R. i.e., we define P + Q to be the mirror image (with respect to they 
axis) of the third point of intersection. , 
(iv) The geometric interpretation of the preceding item also appli“ 
to two points, P and — P, with the same x coordinate. The points are joine u 
a vertical line, which can be viewed as also intersecting the curve at the infinit 
point. Therefore, we have P + (— P) = O, consistant with rule (ii). 


or 


0 ! “ot O 
with the list 


; group: , 
gi Explain ellipt 


piscuss 


Exp 
Ans. 


find a “hard proble 
taking the discrete logarithm. 


G= 
point G int : 
+ on an elliptic curve is the smallest positive integer n such that nG = 0. 


(fig, 2 


Benerates 
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! int Q, draw the tangent li 

double a point X, gent line and find the oth 
(Tron s, Then Q+ Q=2Q=-S. u 
interS f these rules it can be shown that the set E (a, b) is an 


ic curve cryptography. 
(R.GP.V., Dec. 2005, June 2007) 
Or 
in brief elliptical curve cryptography. (R.GP.V., June 2006) 
Or 
ve cryptography. (R.GP.V, Dec. 2004) 


cribe elliptic cur or 


Des 

up short note on elliptic curve cryptography. (R.GP.V., Dec. 2007) 
prite Or 

what is an elliptic curve cryptography ? (R.GP.V., Dec. 2006, 2008) 
Or 


example. 
(R.GP.V., June 2016) 


To form a cryptographic system using elliptic curves, we need to 
m” corresponding to factoring the product of two primes or 


Jain elliptic curve cryptography with suitable 


Consider the equation Q = KP, where Q, P € E, (a, b) and K <P. It is 


relatively easy to calculate Q given K and P, but it is relatively hard to determine 
Kgiven Q and P. This is called the discrete logarithm problem for elliptic curves. 


ECC Key Exchange — Key exchange using elliptic curve can be done in 


the following manner. First pick a large integer q, which is either a prime number 
poran integer of the form 2™ and elliptic curve parameters a and b for equation 


y? mod p = (x? + ax + b) mod p 
y? +xy= x +ax? +b 
This defines the elliptic group of points E, (a, b). Next, pick a base point 
(xı yı) in E, (a, b) whose order is a very large value n. The order n of a 


a,b 
ic. G are parameters of the cryptosystem known to all participants. 
2: D xchange between user A and user B can be accomplished as follows 


ae sss bs integer ną less than n. This is A's private key. A then 
(ii) B a A = na * G; the public key is a point in Eq (a, » 
TA = y selects a private key np and computes a public key Pp. 
rates the secret key K = n4 X Pp. : 
Generates the secret key K = np x Pa. 


CamScanner 


tel i ae | TAS. 


in elliptic curve cryptography and its applications, 
(R.GPY, June 2017) 

curve Cryptography — Refer to Q.40, 

There arc several applications of elliptic curve 
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¿pla 
Global Publle Elements Ah Lx} 


Hq (m b) Kiliptie Curve with Parameters n, band q, whore qty n prime 
on an Integer of the form 2 


„ pmptie 
plicatlon® = 
pion perete Logarithm on EC- Modular exponentiation -computing 

p pist vd the prime p, 4 generator, g of Zp and k) was relatively 


Polnt on Elliptic Curve whose Order ly Large Value n 


User A Koy Generatlon 


Select Private nA nacn k mod p adi O(log k) multiplications/squarings using the “Square and 
Caleulate Public PA Patna XG sim) $ 1 technic uc, On the other hand, computing k provided £, p, and gk 


Multi! „feasible for large p (I 00's of digits). The discrete logarithm problem 
wo p Ë inf pahle for a group of points on carefully selected elliptic curves, 
P owie ja computing modular exponentiation in Zy computing kG, 
sus d the EC parameters is relatively simple. The 


User B Key Generation 


Select Private np na sn 
include t ds 
r of points on the EC. The operation, 
kG=GtGt.... G k times 


n as scalar multiplication. Analogous to the “Square and Multiply” 
is know s employed for modular exponentiation, scalar multiplication may be 
arene by using a “Double and Add” technique. This involves computing 
AG ne and then adding the suitable terms from the series. 


' (ü) Diffie-Hellman Key Exchange on EC Groups — For an EC 
specified over F(p), a six-tuple is used to identify (a) the EC and (b) the subgroup 
of points on the EC over which the discrete logarithm difficulty is infeasible. 

; (p, a, b, G, n, h> 


(a) p represents a prime number. p is the order of the field F(p). 
aand b are the coefficients of the EC equation. 


Calculate Public Pp Pym x G 


jeneratlon of Secret Key by User A 


Ken, *Pp 


Gencration of Secret Key by User B 


Keng XP, 


Fig. 2.14 ECC Key Exchange 
The two calculations in step (iii) produce the same result because 
na X Pp = na * (np X G) = np x (na X G) = np * Pa. 
To break this scheme, an attacker would need to be able to compute K 
given G and KG which is assumed hard. 


(b) G represents a generator of a large subgroup of the points on the š 
Example — EC. The order of G is a prime number, n. The last parameter, h, in the six-tuple is 
Take p = 211. #EC(F, ) 


E, (0, — 4), which is equivalent to the curve y2 = x3 —4, and G = (2,2) 


lhe “cofactor” equal to a oe EC(F,) is the number of points on the EC. 
One can calculate 240 G = 0 


Using the group of points on an EC, the Diffie-Hellman key exchange 


A’s private key, na = 121 Protocol is described 
So A’s public key, P, = 121 (2, 2) Consi ` 

= (115, 48) that Sate and B require to agree ona fresh session key. Also consider 
B’s private key, np = 203 4, Gn, h). ave already agreed to employ the same EC with parameters, 


So B’s public key, Pp = 203 (2, 2) = (130, 203) 
The shared secret key is, 
121 (130, 203) = 203 (115, 48) = (161, 69). 


Then, A a 
»A and 
ii B proceed to complete the following steps as given below — 
i a 
bis to p, A selects a random integer x, computes xG and transmits 
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jae Digital Signatures- This Signature algorithm is known 


abe 
A. (p. 2 b, G. n, h) show an EC. G represents a generator of 2 


702 Cryptography & Information Security 


(b) B selects 2 random integer y, computes yG ang tras, 
this to A. i. 
(c) B computes y(xG) = xyG on receipt of message of 4 


f that 
6 É same bzroup of the : 
(d) A computes x(yG) = xyG on receipt of message of p. su be private key of A and a = 2G be her public key. 


Ped ne the integer 2 


Now, both A and B share a common secret xyG xyG is a poin a G opsid so task Ë performed by A to sign a message, m 
provided EC. Note that an eavesdropper who sees the “partial secret” Ge Tee followin? jects a random number, r, Í <r<n—1 and calculates rG. 
yG will not be capable to deduce x. y, or xyG due to the infeasibility i, (a) A SEE eager Nicaea 
discrete logarithm difficulty on well selected elliptic curves and more specifies: (b) She ca cu Luizes die pte SSA dita - 
the intractability of the computational Diffie-Hellman difficulty on Ec,” (c) Then, she calcu parr çp, (here 

i S; = [rG], mod n and 


(iii) Encryption on EC Groups — El Gamal encryption over 7* I 


Ein " =r! $ zS od 
encryption over 2 group of points on the elliptic curve, is defined as foll S, = r'(h(m) +a X Si) mod n 


the expression to verify A’s signature, (S4, S2), on a 


a large subgroup of prime order is selected, n of the points on the EC, Laig we next derive t^ 
show this subgroup. B = z, m. By definition, 
(a) Let the integer, a be private key of A. geste `ç = h(m) + a X Sy) mod n 


(5) Then the public key of À is a = aG. Ih(m)+S;! S,at kn (where k is an integer) 


To encrypt 2 message to A, B performs the tasks as given below — Hence, r 7 S2 ee ‘se i 
(a) B selects a random number, r, | < r < n — ] and calculate G Using both sides of the above equation like scalar multipliers of point G 
(b) B calculates M + ra. Note that the message has been showy | we obtain i E 
rG = S; h(m) G+S2 S;(aG)+k(nG) 


like a point, M, in (G). 


(c) The encrypted text is the pair (rG, M + ra} which is transmita G = a and nG = O since the order of G is n. 


Now, a 
Hence, rG = $7'h(m) G + (Sz' Sy) 

Taking the x-coordinate of the points on the R.H.S. and L.H.S., equation 
is achieved which is used to verify the digital signature with the support of 


public key of signer’s, a. 


to A. 
To decrypt the message received from B, A performs the tasks as gives 


below- 
(a) A extracts rG, the first part of the encrypted message and 


uses her private key, a, to compute a(rG) = r(aG) = ra. 
(b) Then A extracts M + ra from the encrypted message and 
subtracts out ra to achieve M + ra — ra = M. 
Modified El Gamal Encryption — 
Step (i) of El Gamal encryption remains the same. Although, step (i) 
involves the following computation given below — 
[ra], * m mod p 


* 
Sı = [S2'h(m)G + (S7'S))o], 

0.42. Give the main differences between RSA algorithm and elliptic 

curve cryptography (ECC). (R.GP.V., June 2014) 

Ans. Refer to Q.29 and Q.40. 


§ 0.43. Explain elliptic curve encryption/decryption with the help of an 
mple. Also, discuss the security of ECC. 


where [ra], represents the x-coordinate of ra. 0 
The ciphertext is the pair (rG, [ra], * m mod p). Briefly expla; " ú 
” j š ñ š P 
To decrypt the ciphertext, A uses her private key, a as before to calculat | examples, Plain elliptic curve hd y ad n 
2V., Dec. 


a(rG) = r(aG) = ra. The x-coordinate of the point ra is extracted by her The fi | 
pherte™ f tobe sent ac. task in this approach is to encode the plaintext message m 


then performs the following computation with the second part of the ci isan | 
X — y, point P... It is the point P_, that will be encrypted as a 


are given below — p Crlexta 
n 
4 Subsequently decrypted. It is noted that we cannot simply encode 


([ra],)! mod p) x ({ra], x m mod p) mod p message as th E i 
“uma Ue in i (a,b), X Ory coordinate of a point , because not all such coordinates 
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iih Requirements — They include the presence of a 


110 Cryptography & Information Secunty 
As with the key exchange system, an encrypti 
. 2 s , yption/decryn:; eres 
requires a point G and an elliptic group E, (a, b) as nara Ption Sy, (i) ser kit. Even though JCA/JCE, MS-CAPI etc. can suffice, a 
ts. Each Us t raph? x jike the one from RSA; entrust or baltimore is preferred to 
Sep of oolkit "a requirements exist on the server-side. 
eCie 


selects a priv K ic k = 
private key n, and generates a public key P, = n, x G. 
s — These requirements are classified into 


f To encrypt and send a message P» to B, A chooses a rand 
integer k and produces the ciphertext C,, consisting of the pair s. M pos; Ñ 

DOIN. lt 
Cy = {KG Pm + kPp) Points 


Note that A has used B’s public key Py. To decrypt the cip} 
multiplies the first point in the pair by B’s secret key and subtracts we 
Ne es 
| 


Requirement 
s depicted in fig. 2.15. 


Cryptographic Application 
Transaction Amount 
Dependent 


Ç s 
Myo oth 

No i cation of 
class categories a 


= 


from the second point — 


P+ KPg ~ np (kG) = Pa + k (ng G) - ng(kG ) = Ph 
A has masked the message Pm by adding kP% to it. Only A kno 
value of k, so even though Pp is a public key, no one can remove sos ih. “Authentication Cryntogeaphy 
However, A also includes a “clue,” which is enough to remove the mash Services 
Mask 
ificate-based 
Certificate Message Digest 


kI B: 
I or an attacker to recover the messa I 
ve ication 
Authenti 


if one knows the private key ng. 
attacker would have to compute k given G and kG, which is assumed hard 

d E. =(-1, 188) which is equivalent tg ú 

e 


For example, take P = 751 an 
0, $76). Suppose that A wishes to senda 


curve y? = x? — x + 188, and G ( 
ded in the elliptic point P,, (562, 201) and that 4 


message to B that 1s enco 
selects the random number k = 386. B’s public key is Py = (201, 5). We haw 
386 (0, 376) = (676, 558), and (562, 201) + 386 (201, 5) = (385, 328). Thus 4 


sends the ciphertext {(676, 558), (385, 328)}. 
Security of Elliptic Curve Cryptography — The security of ECC depends 


on how difficult it is to determine k given kP and P. This is referred to as the 
oblem. The fastest known technique for taking the 


elliptic curve logarithm pr 

elliptic curve logarithm is known as the pollard rho method. It is clear that 
considerably a smaller key size can be used for ECC compared to RSA. 
Furthermore, for equal key lengths, the computational efforts required for ECC 
and RSA is comparable. Thus, there is a computational advantage to using 


ECC with a shorter key length than a comparably secure RSA. 
nd software requirements ? Classify them 


0.44, What are the hardware a 
into various cryptographic services. (R.GPV., June 2013) 

Ans. Hardware and Software Requirements — There are two cleat 
portions of the application — the client-side and the server-side. 

(i) Client-side Requirements — The client-side requirements ici 

a browser-based workstation that has Internet Explorer browser installed. 
specific browser is required due to use of the services of Microsoft's MS 
cryptographic toolkit on the client-side. Because MS-CAPI is 195 


Authorization Services 
Digital Signature 


Cryptographic Services 


Certificate Vali- 
dation Services 


OCSP Checks 


fig 2.15 Requirements Classified into Different 


0.45. Discuss 
As in the case of any group, 


(i) The elements of the group 
(ii) The group operation 
(iii) The group identity 
(iv) The inverse of each group element. 
The elements of our groups of interest are points whose (x, y) coordinates 
are real numbers satisfying. i 
y =x +ax+b (i) 
does not intersect 


ire a, b are real numbers to ensure that the curve 
, he rests of the RHS polynomial in the above equation should be distinct. 
4a? + 27b? z 0. We use the notation 


s "apas translates into the inequality, 

tuti j P refer to an elliptic curve where a and b are the coefficients in 
y " 

talled E . 

We lotta Fig. 2.16 (a) shows the elliptic curve, EC(-5, 8), which is ina 
Fig. 2.16 ho (b) shows EC(-5, 3), which comprises two disjoint pieces. 
“ondition ie a 2), which is self-intersecting and violates the 


the elliptic curve over the reals. 
we need to define — 


Ans. 


automatically as a part of Internet Explorer, we will need that the user must 5 
it installed. Thus, the user can use another browser for actual surfing ana 
That is, the user’s workstation should still have Internet Explorer installed, 


h e 
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(7, 6) (7,7) 
(8, 5) (8, 8) 
(9, 6) (9, 7) 
(10, 6) (10, 7) 
(12, 1) (12, 12) 


jationship between p and the number of points on an EC defined 
The (° is out that the number of points is O(p). In fact, Hasse’s theorem 
wet iy tight bounds on, #EC(Fp) the number of points on the EC. 
v h ablis yee 2 
A p +1-2 jp SHEC(FP) S p+1+2.p 


Define the Chinese remainder theorem. 
0.47 


ins. If fact 
m= mm ..... Mm 


(a) =o Sx48 P=- $x 43 ors of the modulus m are known, i.e. we can write 


ences x =y mod m,(i = 1, 2, ....., K) naturally follow from x = y mod 
z modulus is a large number, it may often be easier to compute using 
m.li salle? moduli. This can be done very generally, if the factors mı, m, 
hese ` 


m are pairwise coprime, in other words, if gcd(m,, mj) = 1 wheni#j-— 
Theorem (Chinese remainder theorem) ü If the number Yb Y» 
ae given and the moduli m,, M», ....., My are pairwise coprime then there is a 
<n 2 integer x modulo mim,.....mk that satisfies the k congruences. 
x = y; mod m; (i= 1, 2, ....., K). 


Proof — Denote M = mym,.....m, and M; = M/m; (i= 1, 2, ....., k). Since 
he ms are pairwise coprime, gcd(M,, Mg, ....., My) = 1 and ged(m,, M;) = 1(i 
=1,2,....., k). The following procedure produces a solution x(if there is one!), 
ad also shows that the solution is unique modulo M. 


fo PF =x —3x+2 
Fig. 2.16 Elliptic Curve Over Reals 


O.46 Describe the elliptic curve modulo a prime. 
Aes. The eao of ellipic curye EC over F(p), where p is prime, is 
idenncal to the one for ECs over reals. Note that the coordinates of the pors 
aod the coefficients m the equation are elements of F(p). The algebrax 
expressions for poim negztion, point addition and point doubling are ea 
sGemmicz] to those dered for ECs over reals except that all operations zz 
performed modulo p. However, unlike in the cese for reals, there is no obvios 
geomenical mierpretation for poirt addition or doubling. 
Example — Let the EC, y7 = x? + 2x + 4 over F s. 
The 17 points on the elliptic curve (EC) including the point at infinity # 
follows — 


NUMERICAL PROBLEMS 


Prob.13. On the elliptic curve over the real numbers y? = x — 36x, let 
P=(-3.5, 9.5) and Q = (- 2.5, 8.5). Find P + Q and 2P. 
(R.GP.V., June 2008) 
Sol. The sum R = P + Q can be expressed as follows — 
Xo = A2 _ = 
a R Xp — XQ 
Adia Yr =— Yp + A(Xp — XR) 
The (yq = yp)/(xq = Xp) 
aA P = (- 3.5, 9.5) 
Q = (-2.5, 8.5) 


(6,2) O (9,11) 
(2, 4) (2,9) 
(5, 3) (5, 10) 
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=| 85-95 \2 
XR = sss. 


- (527 25 
10 J +35+25 
“143542504 


and n= -65.+[ 85-95 
=254 35 (~ 35 
=—@-5)~1 10,5) 7 
=-9.5+10.5 
=] 
We also need to be able to add a point to i 
t ` 
yp # 0 the expression are itself, ie, p4 Ps 


) 


Psg 
. 3x3 +a 
2yp 2xp 
nee 3x3 +a Š 
R 2y (xp —XR)—-yp 
ee 2 
Thus, k = | 3039" +36) , 
2x95 (~35) 
z É x (1225) —36 
2x95 7 
_ (36.75-36 0.75 
| 2x95 }+70 = x95 OF 
3(— 35)? + (-36 
and Yr= = 9) (—35-7.04)- 


= (0.039) (— 10.54) —9.5 
=—0.41-9.5=-9.91 


14 


3 


Kev MANAG HING, CRYPTOGRAPHIC HASH FUNCTION, 


| L ITHM (SHA), DIGITAL 
1vERSA HASH ALGOR 
UNP gp, SECURT NATURE STANDARD (DSS) 


sage authentication ? Give the name of two levels of 


is mes vs ' 
1. What ts me thentication or digital signature 


; age au 
tionality that comprise a m essas 
une 


ism. 

echanis! . ; Š 

m Massage authentication Is a procedure to verify that received 
Ans. 


es come from the alleged source and have not been altered. Message 
io may also verify sequencing and timeliness. 
š Any message authentication or digital signature mechanism can be viewed 
as having fundamentally two levels. At the lower level, there must be some 
sort of function that produces an authenticator — a value to be used to 
authenticate a message. This lower-level function is then used as primitive in 
a higher-level authentication protocol that enables a receiver to verify the 
authenticity of a message. 


, There are many types of functions that may be used to produce an 
authenticator. These may be grouped into three catagories as follows — 


95 


(i) Message Encryption — The ciphertext of the entire message 


Ans serves as its authenticator. 


" (ii) Message Authentication Code (MAC) — A public function of 


the message and a SEC’ y d- 


(iii) H i : : 
length into a iare Function — A public function that maps a message of any 


length hash value, which serves as the authenticator. 
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0.2. Why are message authentication codes derived froma crypto 
hash function being preferred over authentication code deriy 
symmetric cipher ? 

Ans. A message authentication code (MAC) based on the use ofa g 
block cipher is known as Data Authentication Algorithm. This has tra i 
been the most common approach to constructing a MAC. In recent vee 
has been increased interest in developing a MAC derived from a c a there 
hash function. The motivations for this interest are as follows — Phig 

(i) Cryptographic hash functions such as MDS or SHA-| tiie: 
execute faster in software than symmetric block ciphers such as DES. ally 

(ü) Library code for cryptographic hash functions is widely avail 

(iii) There are no export restrictions from the U.S. or other co 
for cryptographic hash functions, whereas symmetric block ciphers, eve 
used for MACs are restricted. 


0.3. Explain the message authentication codes. 


Ans. An alternative technique of authentication involves the use of a secret 
key to generate a small fixed-size block of data, known as a cryptographic 
checksum or message authentication code (MAC) that is appended to the 
message. Consider two communicating parties, say A and B, share a common 
secret key K. When A has a message to send to B, it calculates the MAC as a 
function of the message and the key — 

MAC = CKM) 
where M= Input message 
C= MAC function 
K = Shared secret key 
MAC = Message authentication code. 


The message plus MAC are transmitted to the intended recipient. The 
recipient performs the same calculation on the received message, using the 
same secret key, to generate a new MAC. The received MAC is compared to 
the calculated MAC as shown in fig. 3.1 (a). If we suppose that only the receiver 
and the sender know the identity of the secret key, and if the received MAC 
matches the calculated MAC, then 

(i) The receiver is assured that the message has not been altered. If 
an attacker alters the message but does not alter the MAC, then the receiver's 
calculation of the MAC will differ from the received MAC. Because the attacker 
is assumed not to know the secret key, the attacker cannot alter the MAC to 
correspond to the alterations in the message. 

(ii) The receiver is assured that the message is from the alleged 
sender. Because no one else knows the secret key, no one else could prepare ° 
message with a proper MAC. 


able. 
untries 
n when 


were = Oe 117 
message includes a sequence number 


š . (such as į ; 
(iii) # TCP), then the receiver can be assured 0 oS used with 
n 


fthe TO 

IC. X.2 acker cannot successfully alter the sequence a sequence 
HP sc gn al ction is similar to encryption. One difference is that the MAC 
uC MAC er be reversible, as it must for decryption. In sae 
isa many-to-one function. The domain of the function boa 
me arbitrary length, whereas the range consists of all possible 
M 550805 csible keys. If an n-bit MAC is used, then there are 2” possible 
ere are N possible messages with N >> 2”, Furthermore 
re are 2* possible keys. , 


reà — 


Compare 


(b) Message Authentication and Confidentiality; 
Authentication Tied to Plaintext 


EK, M] 


Cy, LEK, IMD] 
(c) Message Authentication and Confidentiality; 
Authentication Tied to Ciphertext 
Fig. 3.1 Basic Uses of Message Authentication Code (MAC) 
a Process illustrated in fig. 3.1(a) provides authentication pale 
“ntiality, because the message as a whole is transmitted in the clear. 


P 
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a be necessary to conceal the SNMP taffic. 
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222 Gyoiagacry & pr a B -< a command to charge parameters at the managed system. On 


pae rfr rasssaz= EMT tion exp - 
Contiáereiaie am be MES ATC aləocisiz=- In both these carte | geo a may not ie 
Se 3 ifs? er Sent = eeit s shared by the sender and the ea a jon of authentication and confidentiality functions affords 
separa «23s EE EE usa wich he message 2s input aie ë š (s) ability. For example. it may be desired to perform authentication 
oe AS ce The === block is then enctypted. [n the Sa Pa re level but to provide confidentiality at a lower level, such as 
comanzi © be mSS ed fest. Then the MAC is calculated us ™ | of appl ‘vit 
; sp the ciphertext to form the trans a a I user may wish to prolong the period of protection beyond the time 


ġe 
m = allow processing of message contents. With message encryption, 
oa when the message is decrypted, so the message is protected 


eo acthentication directly to the ph- 
T Z — À, ' Pl 
a | 
da is lost š : faa 
t modifications only in transit but not within the target system. 


3 sgt the MAC does not provide a digital sj. 


Fela. € S eS ë eas, l 
z s cener share the same key. r re 
became both sender sad receiver SEE e > le 3.1 Basic Uses of Message Authentication Code C 
Tobie 3 1 saamaarizes the confidentiziity and authentication implicaj Table 2- 
psn es AB: MI CKM) 
of the approaches DSS Sar Ë ee, 
Because VEETEE EB oa will provide authentication and became: Provides Authentication 
ac ail tacts. why not simply Spas. — Only A and B share K 
sble procucss. J Imply use this IMStesg . š 
(a) Message Authentication 


H widely asec w EE ACL} 
ofa separate message eae cod2? [DAVI 89] suggests three si 1: 


sxcthentication code is used — KB: Ex,[ MilCk,(49] 


e Provides authentication 
— Only A and B share K; 
e Provides confidentiality 
— Only A and B share K, 
(b) Message Authentication and Confidentiality 
: Authentication Tied to Plaintext 


A > B:Ex,[ MIllCx, (Ex, 4) 
e Provides authentication 
— Using K, 
e Provides confidentiality 


— Using K, 
(c) Message Authentication and Confidentiality : 
Authentication Tied to Ciphertext 


is broadcast to 2 r= 
that the network is now unavailable or an alarm signal in a military control 
center. E is cheaper and more reliable to have only one destination responsible 
for monaormg 2athenticity. Thus, the message must be broadcast in plaintext 
with an associated messege authentication code. The responsible system has 
the secret key and performs authentication. If a violation occurs, the-other 
destination systems are alerted by a general alarm. 
(ii) Another possible scenario is an exchange in which one side has 
a heavy loed and cannot afford the time to decrypt all incoming messages. 
Authentication is carried out on 2 selective basis, message being chosen at 
random for checking. 

___(iti) Authentication ofa computer program in plaintext is an attractive 
rere The computer program can be executed without having to decrypt it 
every ume, which would be wasteful of processor resources. However, ifa 
message authentication code were attached to the program, it could be checked 
whenever assurance was required of the integrity of the program. 

thee other rationales may be added, as follows — 
ate re F Or some applications, it mav not be of concern to keep messages 
ot it ls important aaa messages. An example is the Sine 
of confdentaliy anf a o i version 3 (SNMP v3), which separates the funy 
fr a maa ad authentication, Fr this application, it is usually impor 

enticate incoming SNMP messages, particular y 


7 Finally, note that the MAC does not provide a digital signature because 
th sender and receiver share the same key. 


0.4. What types of attacks are addressed by message authentication ? 
(R.GB.V., June 2017) 


T In communication across a network the following attacks can be 


() Disclosure — Release of message contents t 
ot possessing the appropriate cryptographic key. 


on or 
Process n o any pers 
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(ii) Traffic Analysis — Discovery of the patte 
parties. In a connection-oriented application, the frequ 
connections could be determined. In either a con 
connectionless environment, the number and length 
parties could be determined. 


m 

oe ety, 
y and durati Ceh 

nection-orien On of 


of e 
Messages betw 
th 


(iii) Masquerade — Insertion of messages into then 
fraudulent source. This includes the creation of messapes by cao fro i 
are purported to come from an authorized entity. Also included OPponent tha 
ments of message recipient. Acknowledge, 


(iv) Content Modification — Changes to the contents o 


including insertion, deletion, transposition and modification, fa Message 


(v) Sequence Modification — Any modification to a s 


eer one j e 
messages between parties including insertion, deletion and reorde quence of 


ring, 

(vi) Timing Modification — Delay or replay of messa I : 
connection-oriented application, an entire session or sequence of te Ina 
could be a replay of some previous valid session, or individual messages a 
sequence could be delayed or replayed. In a connectionless application 
individual message, such as datagram could be delayed or replayed. 7 


(vii) Source Repudiation—Denial of transmission of message by source 


(viii) Destination Repudiation — Denial of receipt of message by 
destination. 
Thus, some counter-measures are required to deal with these attacks which 
are generally regarded as message authentication. 


0.5. Explain digital signature with the help of an example. Give its 


properties and requirement in brief. (R.G P.V., June 2007) 
Or A 
Explain digital signature. f (R.G P.V,, Dec. 2004, 2005) 
Or 
Write short note on digital signatures. (R.G P.V, June’ 2006) 
messages 


Ans. Message authentication protects two parties who exchange 
from any third party. However, it does not protect the two parties agal 
other. Several forms of dispute between the two are possible. 

For example, suppose that Vishal sends an authenticate 
Gourav, using one of the schemes of message authentication co 
following disputes can arise — me 

I : it ca 
(i) Gourav may forge a different message and claim that w i 
from Vishal. Gourav would simply have to create a message and appé 
authentication code using the key that Vishal and Gourav share. 


nst each 


d message t 
de. Then the 


eo er GSE 


al can deny sending the message. Because it is possible for 


. h E 
vis e, there is no way to prove that Vishal did in fact 


(ii) messag 

gor” 

ad the mes example of the first scenario. An electronic funds transfer 

s€ we take she receiver increases the amount of funds transferred and 

mount had arrived from the sender. An example of the 

di rio is that an electronic mail message contains instructions to a 

are a transaction that subsequently turns out badly. The sender 

toc T the message Was never sent. 

re is not complete trust between sender and receiver, something 

en io entication is needed. The most attractive solution to this problem 
mo oe e signature. Then it must have the following properties — 


fy the author and the date and time of the signature. 
(ii) It must authenticate the contents at the time of the signature. 
(iii) It must be verifiable by third parties, to resolve disputes. 
Thus the digital signature function includes the authentication function. 
On the basis of these properties, we can formulate the following 
requirements for a digital signature — 
(i) The signature must be a bit pattern that depends on the message 


being signed. . . ; 
(ii) The signature must use some information unique to the sender, 


to prevent both forgery and denial. 

(iii) It must be relatively easy to produce the digital signature. 

(iv) Itmustbe relatively easy to recognize and verify the digital signature. 

(v) Itmust be computationally infeasible to forge a digital signature, 
either by constructing a new message for an existing digital signature or by 
constructing a fraudulent digital signature for a given message. 

(vi) Itmustbe practical to retain a copy of the digital signature in storage. 


_ Q6. What is the important aspect that establishes trust in digital 
Signatures ? (R.GP.V., June 2014) 


Ans, Refer to Q.5. 


Jace, 
rakes P at the larger a 


: 0. Z. What property does a digital signature provide that an HMAC does 
01? Discuss, (R.GP.V, June 2007, Dec. 2007) 


for e HMAC does not provide nonrepudiation. Digital signature provides 
cortege oa tiation, If the sender denies sending the message, her private key 
ponding to her public key can be tested on the original plaintext. If the 


result . 
uti, decryption matches the original message then we know the sender 
© message. ! 
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0.8. Explain arbitrated and direct approach for diets 


I Si 
function. r (R.GPY, Dec. Py fe 
What are some threats associated with a direct digital Signaty I 
Describe in detail. (R.GPY ee Scheme ; 
Or » June 200 5) 
Explain direct digital signature. What are some threats associ 
a direct digital signature scheme ? (R.GÈV, p ated with 
Or ? = CC, 2009) 
Explain digital signature with arbitrated and direct approaches, 
(R.GF.V, May 20 18 


Ans. Direct Digital Signature — The direct digital signature iny | 
only the communicating parties (source, destination). Assume fer u 
destination knows the public key of the source. A digital signature s. ` 
formed by encrypting the entire message with the sender’s private key u % 
encrypting a hash code of the message with the sender’s private key. y 


Confidentiality can be provided by further encrypting the entire message 
plus signature with either the receiver’s public key or a shared secret key 
(symmetric encryption). It is noted that it is important to perform the signature 
function first and then an outer confidentiality function. In case of any dispute, 
some third party must view the message and its signature. If the signature is 
calculated on an encrypted message, then the third party also needs access to 
the decryption key to read the original message. However, if the signature is 
the inner operation, then the recipient can store, the plaintext message and its 
signature for later use in dispute resolution. a 


All direct schemes share a common weakness. The validity of the scheme 
depends on the security of the sender’s private key. If a sender later wishes to 
deny sending a particular message, the sender can claim that the private key was 
lost or stolen and that someone else forget his or her signature. Administrative 
controls relating to the security of private keys can be employed to thwart orat 
least weaken this ploy, but the thwart is still there, at least to some degree- One 
example is to require every signed message to include a timestamp (date and 
time) and to require prompt reporting of compromised keys to a central authority. 

Another threat is that some private key might actually be stolen from Xat 
time T. The opponent can then send a message signed with X's signature an 
stamped with a time before or equal to T. ' 


Arbitrated Digital Signature — The problem associated wit 
signature can be addressed by using an arbiter. As with direct signa 
there are various arbitrated signature schemes. Generally, they à 
follows. Every signed message from a sender.X,to a receiver Y goes, firs 


h direct digital 
ture schemes, 
II operate 1 
tto an 
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ubjects the message and its Signature to a number of tests t 
who § nd content. The message is then dated and sent to Y with x 
been verified to the satisfaction of the arbiter. The saa 
faced by direct signature scheme — that X might disown 


ays a sensitive and crucial role in this sort of scheme, and all 


th iter pl “Pea 

he ane a awe deal of trust that the arbitration mechanism is working 

attics ust eola trusted system might satisfy this requirement. Table 3.2 
j N f arbitrated digital signatures. 


pore eal examples o 
ves Table 3.2 Arbitrated Digital Signature Techniques 


Conventional Encryption, Arbiter Sees Message 
(1) X> A:MI|Ek,, [IDxIIH(M)] 
(2) A > Y:Ex,, [IDxI|MIlIEx,, [ID x||H(M)]||T] 


(b) Conventional Encryption, Arbiter Does Not See Message 

(1) X> AIDxIIEK,, (MIIEK,, UD xIH(Ex,, [MD] 

(2) A> Y:Ex,,UDxIlExk,, MIIIEx,, [IDxIIH(Ek, [MDIT] 
(c) Public-key Encryption, Arbiter Does Not See Message 
(1) X > A:IDx||Exr, UDxllExu, (Exr, [MD] 

(2) A> Y:Exr, [UD xllExu, (Exr, MIIT] 


M = Message 
T = Timestamp 


Notation — X = Sender 
Y = Recipient 
A= Arbiter 
In the first scenario, both parties must have a high degree of trust in À — 
| (i) X must trust A not to reveal K,, and not to generate false 
signatures of the form Ex ,, [IDx||H(M)]. 
(ii) Y must trust A to send Ek [ID,||MIIEx,, [ID, | H(M)]||T] only 
ifthe hash value is correct and the signature was generated by X. 
(iii) Both sides must trust A to resolve disputes fairly. 
. Ifthe arbiter live up to this trust, then X is assured that no one can forge 


is oe : i 
Signature and Y is assured that X cannot disavow his signature. This scenano 


also imni; À 
‘0 implies that A is able to read messages from X to Y and, indeed that any 
avesdropper, Š 

Table 3.2 

asšures c 


e arbitration as before but 


b) sh i ides th i 
(b) shows a scenario that provides eae he arbiter 


alg C ap 
Onfidentiality.’Although’ unable to rea 


— 
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ee Fh 


Now, A puts the cipher text (CT1) and the encrypted symmetric 
(iii) „side 3 digital envelope. 
i 


i ` [emai | ee) 
alliance with the sender to deny a signed message or with ferent fo mt key oge" ) The sends the digital envelope to B. E 
the sender’s signature. Iver a (iv p receives the digital envelope that contains cipher text and the 
All the problems just discussed can be resolved by going toa pty. lim key (K1) encrypted using j s private key (K2). 
scheme, which is shown in table 3.2 (c). This scheme has a Publi key | one Me™ Now B uses the same asymmetric key algorithm as used by À and 
advantages over the preceding two schemes. First, no information in Cr of P (K3) to decrypt the logical box that has the symmetric key 
among the parties before communication, preventing alliances is oo pet priv se encrypted with B’s public key (K2). 
Soe enn ener i KR, is compri ae (K!) j last, B applies the same symmetric key algorithm as was used 
assuming that KR, is not compromised. Finally, the content of the iie, pon etric key K1 to decrypt the cipher text. Thus, generates the 
from X to Y is secret from A and anyone else. However, this final a and the gay 
involves encryption of the message twice with a public-key algorithm, c original plain text. SOE rons 
' š baie ip od > the di , 
, 0.9. Differentiate between direct digital signature and arbitrated digital Qll. = alee ea digital signature process. The sender uses a signing 
gi Or (R.GPV, June 2008) l ere the message. The message and the signature are sent to the 
Compare direct digital signature vs arbitrated digital signature, nae The receiver receives ee ri A =a the x ae a applies the 
(R.G P.V., Dec, 2008) verifying algorithm to the combination. e result is true, the message is 


š; Bde Ç ise, it is rejected. 
Ans. A direct digital signature involves only the communication Parties herwise, it 1s rej 


i.e., source and destination. A digital signature is formed by encrypting the 
entire message with the sender’s private key. Confidentiality is provided by 
further encrypting the entire message plus signature with either the receiver's 
public key or a shared secret key. 


accepted; ot 


M —- Message 
S — Signature 


On the other hand in arbitrated digital signature, each signed message 
from a sender X to a receiver Y goes first to an arbiter A, who subjects the 
message and its signature to a number of tests to check its origin and content. 
The message is then dated and sent to Y with an indication that it has been 
varified to the satisfaction of the arbiter. 


. Faye be 
] gn i 
Algorithm |} 


Thea =] = 


Fig. 3.2 Digital Signature Process 
In a digital signature, the signer uses her private key, applied to a signing 
algorithm, to sign the document. The verifier, on the other hand, uses the public 
key of the signer, applied to the verifying algorithm, to verify the document. 


0.10. “Digital envelopes combine the best features of symmetric and 
asymmetric key cryptography.” Explain it Why? (R.GP.V., June 2014) 
Ans. Symmetric key cryptography and asymmetric key cryptography at 
combined to have a very efficient security solution. The way it works is a$ 
follows — 
(i) Suppose A is the sender of a message then A’s computer encrypt 
the original plain text message with the help of a standard symmetric key 
cryptography algorithm and generates cipher text message (CT). !n this 


; : itis 
operation, the key used (K1) is called one time symmetric key because N" 
used only once. 


M — Message 
S — Signature 


| Signin 
| Algorithm 


ears 


” sl d 

(ii) A now takes the one time symmetric key of step (i) Le. KI aa 
encrypts K1 with B’s public key K2. This process is called as key wrapping 

the symmetric key. B is the receiver of a message. ns I 
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We can add the private and public keys to fig. 3.2 to give a more 
concept of digital signature (sce fig. 3.3). Note that when a document ` n ple, 
anyone, including Bob, can verify it because everyone has access he Signeg 
public key, Alice must not use her public key to sign the document a ce 
then anyone could forge her signature. “Cage 


0.12. Describe how digital signature can be used for ensuring mes, 
integrity in distributed system ? (R.GPV, De Z i 

Ans. Message integrity often gocs beyond the actual transfer throu ? 
secure channel, Consider the situation in which Bob has just sold A 
collector's item of some phonograph record for $500. The whole deal was j Y 
through c-mail. In the end, Alice sends Bob a message confirming that she z 
buy the record for $500. In addition to authentication, there are at least { 
issucs that need to be taken care of regarding the integrity of the Message, ° 

(i) Alice needs to be assured that Bob will not maliciously change 
the $500 mentioned in her message into something higher, and claimed she 
promised more than $500. 

(ii) Bob needs to be assured that Alice cannot deny ever having 
sent the message, for cxample, because she had second thoughts, 

These two issues can be dealt with if Alice digitally signs the Message in 
such a way that her signature is uniquely tied to its content. The unique 
association between a message and its signature prevents that modifications to 
the message will go unnoticed. In addition, if Alice’s signature can be verified 
to be genuine, she cannot later repudiate the fact that she signed the message, 

There are several ways to place digital signatures. One popular form is to 
use a public-key cryptosystem such as RSA, as shown in fig. 3.4. When Alice 
sends a message m to Bob, she encrypts it with her private key Kz, and sends 
it off to Bob. If she also wants to keep the message content a secret, she can 
use Bob's public key and send K? (m, Kx(m)), which combines m and the 
version signed by Alice. 


Alice's Computer Bob's Computer 


Bob's Allce’s 
Private Key, Private Key, Private Key, 
KA K K5 KÅ 


Alice's 


Kx (m) KX (m) 


Kj(m, KX (m)) 
Fig. 3.4 Digital Signing a Message Using Public-key Cryptography | 
When the message arrives at Bob, he can decrypt it using Alice's public 


key, If he can be assured that the public key is indeed owned by Alice, ! ° 
decrypting the signed ‘version’ of m and successfully comparing it to m ca 


Q“ H Iel 


t it came from Alice. Alice is protected against any malicious 
m by Bob, because Bob will always have to prove that the 
to of m was also signed by Alice. In other words, the decrypted 
e ersi sentially never counts as proof. It is also in Bob’s own interest 
e alone e 4 version of m to protect himself against repudiation by Alice. 
ign? umber of problems with this scheme, although the protocol 
si í First the validity of Alice’s signature holds only as long as 
self ane remains a secret. If Alice wants to bail out of the deal even 
eS gi yer confirmation, she could claim that her private key was 
message was sent. 
blem occurs when Alice decides to change her private key, as 
time to time helps against intrusion. However, once Alice 
her statement sent to Bob becomes worthless, What may 
es is a central authority that keeps track of when keys are 
d, in addition to using timestamps when signing messages. 
ane her problem with this scheme is that Alice encrypts the entire message 

; an rivate key. Such an encryption may be costly in terms of processing 
saat and is actually unnecessary. A cheaper and elegent scheme is to 
en message digest., _ 

"`A message digest is a fixed-length bit string h that has been computed 
from an arbitrary-length message m by means of a cryptographic hash function 
H, lfm is changed to m', its hash H(m’) will be different from h = H(m) so that 
ican easily be detected that a modification has taken place. 

_ To digitally sign a message, Alice can first compute a message digest and 
subsequently encrypt the digest with her private key, as shown in fig. 3.5. The 
encrypted digest is sent along with the message to Bob.. 

Bob’s Computer 


a 
the 5 


pe needed in 


F Alice’s Computer ‘ m 


Hash 
Function, 


Hash > - 
i 


H 
Alice’s ` ` 
Public Key, 
E K£ | 


HOO) o — ` KX (H(m)) Hm) 


a 3.5 Digitally Signing a Message Using a Message Digest 
hen Bob receives the message and its encrypted digest, he needs merely 
hee with Alice’s public key, and separately calculate the message 
toh 'gest calculated from the received message and the decrypted 
Bob knows the message have,heen signed by Alice. 


igast ma 
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0.13. What do you mean by key man 


agement ? 
Ans, Key Management is the hard 


est pa 
management of cryptographic keys in a c ees Taphy, lti 
related to the generation storage, distribution and w à Manageme he 
cryptographic protocol design key servers, user procedys [key lt inci Í 
Protocols. Key management concerns keys at the user is and Other p lent 
users or systems Successful key Management js Critic ee Ñ aise ` 
Cryptosystem. iu 7 ' 


0.14. List four general categories of Schemes 
Public-keys. Describe each of them briefly, 


Or 
Define various methods for key management, 


Ans. Various techniques have been Proposed fo 
keys. All these proposals can be grouped into four 


(i) Public announcement 
(iii) Public-key authority 


for the distribution 
0 


rthe distribution 
Catagories — 


(ii) Publicly available directory 
(iv) Public-key Certificates, 

G) PublicA nnouncement of Public-k 
key encryption is that the public-key is public. 
key algorithm, such as RSA, any 


of public. 


eys —The point of the Public. 
Thus, if there is Some public. 


Participant can send his or her 7 
public-key to any other Participant KU, 
or broadcast the key to the com- KU, 
munity at large as shown in fig. -e 
3.6. For example, many PGP SKU 
(pretty good privacy) users, have A 
adopted the practice ofappending KU, . 


ks 


Fig. 3.6 Uncontrolled Public-key ' 
Distribution 


their public-key to messages that 
they send to public forums, such 
as USENET newsgroups and 
Internet mailing lists. 
e . : one 
Although this approach is convenient, it has a major acme 
can forge such a public announcement i.e, some user could aie ais 
A and send a public key to another participant or broadcast a x wita 
Until such time as user A discovers the forgery and alerts x = pe kent 
the forger is able to read all encrypted messages intended for 
forged keys for authentication. security a 
(ii) Publicly Available Directory — A higher degree o i 


C 
ó s direct of pub l 
be achieved by maintaining a publicly available dynamic gaa x TE 
keys maintenance and distribution of the public directory 
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fig. 3.7, Such 


E 


«of some trusted entity or organizati 
gbin following elements — 
has t (a) The authority maintains a 
tha (name, public-key} entry for 
wi 
jrectOr ant. . . 
ff pati) Each participant registers a K 
with the directory authority. Regis- u 
publice d have to be in person or by some 
yati Ww cure authenticated communication, 
form ofse (c) A participant may replace Fig. 3.7 Public-key 
g key with a new key at any time, Publication 
(d) Periodically, the authority publishes the entire directory or 
irectory. 
s to the directory. ; 
te (e) Participant could also access the directory electronically. For 
his purpose ai authenticated communication from the authority to the 
icipant is mandatory. a 
p” 7? e is more secure then individual public announcemen i 
This schem i uD ts but still 
has vulnerabilities. Ifan Opponent succeeds in obtaining or computing the private 
key of the directory authority, the opponent could authoritatively Pass out public- | 
ubsequently impersonate any participant. Another way to achieve the iy 
keys and s q Š y 
same end is for the opponent to tamper with the records kept by the authority. 

(ii) Public-key Authority — Stronger security for public-key f 
distribution can be achieved by providing tighter control over the distribution | 
of public-keys from the directory, A typical scenario is illustrated in fig. 3.8, 
The scenario assumes that a central authority maintains a dynamic directory of 
public-keys of all participants. In addition, each Participant reliably knows a 
public-key for the authority, with only the authority knowing the corresponding 
private key, The following steps occur in the scenario — 


on as shown in 


Pu blic-key 
Directory 


KU, 


ihe existin 


upda 


Public-key 
Authority 


(1) Request || Time, (4) Request || Time, 


Q)Exr [KU} İl Request || Timey] 


auth 
5)E KU, || Request || Time] 
O) Ekr anil all Req 


=$ 


(© Eku, [NIN] 


AE o (D Eku, Mal , j 
Fig. 3.8 Public-key Distribution Scenario 
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(a) Message 1 — A sends a timestamped Message i 
0 


Unit- M 434 


certificate contains a public-key and other information, is created 


key authority containing a request for the current public key opp "epy, |: ME thority, and is given to the participant with the mares 
(b) Message 2 — The authority responds with a m i "envio? icipant conveys its key information to another by tra aa 
encrypted using the authority's private key, KR u y. Thus, A is abet thay: H e key: n participants can verify that the certificate was B 
the message using the authority's public key. Therefore, A is ase, lo Nay, fr ified e. ae scheme has following requirements — ated by 
message originated with the authority. The message includes the cn tag ar ho iy: in Any participant can read a certificate to determine the na 
(1) B’s public key KU,, which A can use to eneryp lowing ' 4 f Phe certificate’s owner. roe 
destined for B. (mesa public : (b) Any participant can verify that the certificate originated from 


authority and is not counterfeit. 


r nificate (c) Only the certificate authority can create and update certificates. 
(d) In addition, any participant can verify the Currency of the 


(2) The original request, to enable A to match 
with the corresponding earlier request and to verify that the ori 
was not altered before reception by the authority. 

(3) The original time stamp, so A can determine h 


this res 
Binal req 


not an old message from the authority containing a key other than By a cate scheme is illustrated 
public-key. f Uren ee Fach participant applies to 
(c) Message 3 — A stores B’s public-key and also Uses it fale aúthority, supplying a 

e C! 


d requesting a certificate. 


ublic key an 


encrypt a message to B containing an identifier of A (JD ,) and a name (N) 
l i son or b 
must be in per: y 


which is used to identify this transaction uniquely. 


ication N 
(d) Message 4, 5 — B retrieves A’s public-key from the authori N of secure authenticated 
in the same manner as A retrieved B’s public-key. ) was nication. For participant A, the 
At this point public-keys have been securely delivered to A and B anj| authority provides a certificate of the 
I Fig. 3.9 Exchange of Public-key 


they may begin their protected exchange. However, two additional Steps are} form 


desirable - CA= Expr, [T IDA, KUa] Certificates 


where KR, „p is the private key used by the authority. Then A may pass this 


(e) Message 6 — B sends a message to A encrypted with KU, 
cefificate on to any other participant, who reads and verifies the certificate as 


and containing A’s nonce (N,) as well as a new nonce generated by B (N) 
Because only B could have decrypted message (3), the presence of N, in 
message (6) assures A that the correspondent is B. 

(f) Message 7 — A returns N,, encrypted using B’s public-key, 
to assure B that its correspondent is A. 

Thus, a total of 7 messages are required. However, the initial four messages 
need be used only infrequently because both A and B can save the other’s publi 
key for future use, a technique known as caching. Periodically, a user should 
request fresh copies of the public-keys of its correspondents to ensure currency: 


follows - 
Du, [C4]= Drun | EK Ruy [T ID, KU ,]] 
= (T, ID, š KU 4) 

The recipient uses the authority’s public key, KU u to decrypt the 
reificate, The elements JD, and KU, provide the recipient with the name and 
bic key of the certificate’s holder. The timestamp T validates the currency of 
tecenificate, The timestamp counters the following scenario. A’s private key is 


(iv) Public-key Certificates — The scenario described above has some exh; an opponent. A generates a new private/public key pair and applies to 
Certificate authority for a new certificate. Meanwhile, the opponent replays 


drawbacks. The public-key authority could be somewhat of a bottleneck in | Mold cenin i ; 
system, for a user must appeal to the authority for a public-key fi or every w Mic ke oe to B. If B then encrypts messages using the compr omised old 
user that it wishes to contact. As before, the directory of names and publ h fi © Opponent can read those messages. 
keys maintained by the authority is vulnerable to tampering. g tyf toed tahi the compromise of a private key is comparable to the I Í 
. - ` ` . . a 
An alternative approach is to use certificates that can be oe ina | ible commu * Owner cancels the credit card number but is an bs 
participants to exchange keys without contacting a public-key author! y vei tan nicants are aware that the old credit card is obsolete. Thus, tn 
ey Sicie P serves as something like an expiration date. If a certificate 1s 


way, i.e., as reliable as if the keys were obtained directly from a pub ally old. it: 
"r. y 3 i gi » It is assumed to be expired. 


— 
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0.1š. Write short note on kay exchange, 


xchange protocols enable secure communication ò 
k by setting UP shared keys between two or more Partig Tay 
{TLS provide symmetric encryption keys for secure eR 
cols provide confidentiality and integrity at 0 
ides data protection and inteprity in Wirclos th 
and Kerberos provides authenticated client-server ‘iter beg 
While some of these protocols have been proved Action 
lic Dolev-Yao model, most key exchange pe 
proved secure in the complexity-theoretic mal in 
of 


Ans, Key © 
untrusted networ 
example, SSL ane 
transactions, IPSec proto 


layer, IEEE 802.111 prov 
area networks, 
in local area networks. 
in the simplified symbo 
use today have not been 
modern cryptography. 


0.16. Define hash function. (R.GPV, Dec, 200 

Or ) 

Write short note on hash functions. (R.GPM, Dec. 2004, 2 tw 
Or i 


Write short note on hash value. (R.GPV, June 201 7 
Or 


Explain hash function in detail. (R.GPV, June 2015 
A hash function is a function, mathematical or otherwise, that takes 
lled a pre-image) and converts it to a fixed. 
(called a hash value). A simple hash 
age and returns a byte consisting 


Ans. 
a variable-length input string (ca 
length (generally smaller) output string 
function would be a function that takes pre-im 
of the XOR of all the input bytes. 

A hash value h is generated by a function H of the form 

h=H(M) 

where M is a variable-length message and H(M) is the fixed-length hash value. 
The hash value is appended to the message at the source at a time when the 
message is assumed or known to be correct. The receiver authenticates thal 
message by recomputing the hash value. Because the hash function itself is 
not considered to be secret, some means is required to protect the hash value. 


0.17. What is hash function and what can it be used for ? 


(R.GP.V, June 201!) 
Or 
What is hash function ? Give the basic uses of hash function. 
| (R.GP.V, May 2019) 
Ans, Hash Function — Refer to Q.16. 
Uses of Hash Function - 
message P 


(i) The symmetric encryption is used to encrypt the 


concatenated hash code.-This is similar in structure to the internal error cont" 
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of reasoning applies — the message must ha 

n changed because only X and Y share the < come 
structure or redundancy needed to get dithen t key. 
ffered because encryption is applied to the a 


e line 
s not bee 
s the 
fom co anes o 
h code. 
a Using symmetric encryption, only the hash code is encrypted. Thi 
i cessing burden for those applications that do not need confidentiality 
wii i Using public-key encryption and using the sender’s private ‘oe 
aah code is encrypted. This provides authentication as shown in fig, 
cause only the sender could have produced the encrypted hash 
signature is also provided. 

ssage plus the public-key-encrypted hash code can be 
using a symmetric secret key to achieve confidentiality as well as a 

enc nature. This is a common technique. 
digital $ ny hash function is used in this technique but there is no encryption 
hentication. In this technique, it is assumed that the two 
arties share a common secret value S. X computes the hash 


atenation of M and S and appends the resulting hash value 


sag? jus he 
8 


r message aut 


communicating p 
he conc 


value over I Z 
to M. Since Y keeps S, it can recompute the hash value to verify. 


(vi) 
the entire mes 
——T Source X 


Confidentiality can be added to the approach of (v)by encrypting 
sage plus the hash code. 


Source Y —ə— 


5 [| 3 Compare 
K Ex(M{H(M) K 


1I(M) 
(a) 


Ex[H(M)| 


(b) 


KU, Compare 


Exr,l(M)] 


= a wer ag). sto 
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ExIM || EKR, 
IH(M)II 


(d) 


ExIM || HM || S) 


H(M || S)] 


Fig. 3.10 Basic Uses of Hash Function 


0.18. What is the role of a compression function in a hash function? 
(R.GP.V., Dec. 2005) 


et Ans. Damgard and Merkle greatly influenced cryptographic hash function 
mit design by defining a hash function in terms of what is called a compression 
fi: function. A compression function takes a fixed-length input and returns a shorter, 
fixed-length output. Given a compression function, a hash function can be defined 
by repeated applications of the compression function until the entire message 
has been processed. In this process, a message of arbitrary length is broken into 
blocks whose length is broken into blocks whose length depends on the 
compression function, and “padded” (for security reasons) so the size of the 
message is a muluple of the block size. The blocks are then processed sequentially, 
taking as input the result of the hash so far and the current message block, with 
the final output being the hash value for the message (see fig. 3.11). 


Message 
Block 1 


Message 
Block 2 


Initial 
Value 


_ Fig. 3.11 Iterative Structure for Hash F unctions; 
F is a Compression Function 


fo 
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„yation for this iterative structure stems fro 
The moti Markle that if the compression function 
ant iterated hash function. Therefore 


m the observation by 
IS Collision Tesistant 


ar It the st 
pame .. the resu ; , Structure can 
hen $ ane a secure hash function to operate on a message of any m 
ri ` 


ys we of designing a secure hash function reduces to that of designing 
he goin resistant compression function that Operate on inputs of some fixed 
jissto”™ 
acol 
sizes. 19, What are the various requirements for a hash Junction to be used 


, ication ? 
e authentica 
r messag Or 


what are various requirements must be fulfilled by a hash function? 


(R.GP.V., Dec. 2011) 
Or 


What characteristics are needed in a secure hash function ? 
(R.GP.V, June 2012) 
Ans. The purpose of a hash function is to produce a “fingerprint” of a file 
message, OF other block of data. A hash function H must have the following 
perties to be useful for message authentication — 
(i) H can be applied to a block of data of any size. 
(ii) H produces a fixed-length output. 
(iii) H (x) is relatively easy to compute for any given x, making both 
hardware and software implementations practical. 

(iv) For any given value h, it is computationally infeasible to find x 
such that H(x) = h. This is sometimes referred to in the literature as the one- 
way property. 

. (v) For any given block x, it is computationally infeasible to find 
y#xwith H(y) = H(x). This is sometimes referred to as weak collision resistance. 

(vi) It is computationally infeasible to find any pair (x, y) such that 
H(x) =H(y), this is sometimes referred to as strong collision resistance, 


pro 


The first three properties are requirements for the practical application of 


hash function to message authentication. 


pee oS property is the one-way property. It is easy to generate a code 
is mie virtually impossible to generate a message given a code. 

ol a “ra i important when the authentication technique involves the use 

linction is aie ue. The secret value itself is not sent. However, if the hash 

The fi one way, an attacker can easily discover the secret value. 

“ame value 0 Property guarantees that an alternative message hashing to hoe 

ç encrypted a Blven message cannot be found. This prevents silage en 

Message a an Code is used. For these cases, the opponent can read t 

ý therefore generate its hash code. However, because the oppone” 
“0 wae ° V. ja 
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does not have the secret key, the opponent should not be able to al 

: ; tecti i erty were not truc e 
message without detection. If this property be Ç nc t truc, an attacker wo +t 
capable of the following sequence, i.c., first, intercept a messa ið llk 
cncrypted hash code, second, generate an unencrypted hash codo fro kI! 
message, third, generate an alternate message with the same hash Code M the 


y set the n-bit has value to zero, 
„gs cach successive n-bit block of data as follows — 
LES stots the current hash value to the left by one bit, 
a XOR the block into the hash value. 
b} ffect of “randomizing” the input more completely and 


Imitiall 


(ii) 


i ; c i : 
The sixth property refers to how resistant the hash function is Oac This has regularitis that appear in the input. 
i asg ing 3 
attack known as the birthday attack. at pvercom E AEA 
„o short note on birthday "GEV, June , June 2012) 
0.20. Discuss the working principles of hash function, 02 1, Write $ Or 
Or wnat do yo u mean by birthday attack ? (R.G P.V, June 2009) 


Define simple hash functions using bitwise XOR. (R.GP.V, Dec, 200) that a 64-bit hash code is used. One might think that this is 


. I ose ; 

Ans. All hash functions operate using the following general principle Ans. a ah instance, if an encrypted hash code C is transmitted with the 
The input (message, file etc.) is viewed as a sequence of n-bit blocks, š uite ee unencrypted message M, then an opponent would need to find 
input is processed one block at a time in an iterative fashion to produce ann. correspon h that H(M’) = H(M) to substitute another message and fool the 


an M’ ae average, the opponent would have to try about 2 messages to 

receiver. J a matches the hash code of the intercepted message. 

acer a different type of attack is possible based on the birthday 

x . yuyal proposed the following strategy — 

(ü) The source, A, is prepared to “sign” a message by appending the 

appropriate m-bit hash code and encrypting that hash code with A’s private key. 

(ii) The opponent generates 2™2 variations on the message, all of ! | 

which convey essentially the same meaning. The opponent prepares an equal 

number of messages, all of which are variations on the fraudulent message to 

be substituted for the real one. 

`» (iii) The two sets of messages are compared to find a pair of messages 

that produces the same hash code. The probability of success, by the birthday 

paradox, is greater than 0.5. If no match is found, additional valid and fraudulent 

messages are generated until a match is made. 

ei The opponent offers the valid variation to A for signature. This 

the inte a then be attached to the fraudulent variation for transmission to 
i recipient. Since the two variations have the same hash code, they 


bit hash function. 
One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) 
of every block. This can be expressed as follows — 
C= bi e bi» @ ... e bim 
where, C; = ith bit of the hash code, 1 <i < n 
m = Number of n-bit blocks in the input 
bj, = ith bit in jth block 
@ = XOR operation. 

Fig. 3.12 shows this operation; it produces a simple parity for each bit 
position and is known as a longitudinal redundancy check. It is reasonably 
effective for random data as a data integrity check. Each n-bit hash value is 
equally likely. Thus, the probability that a data error will result in an unchanged 
hash value is 2°. With more predictably formatted data, the function is less 
effective. For example, in most normal text files, the high-order bit of each 
octet is always zero. So ifa 128-bit hash value is used, instead of an effectivenes 
of 27128, the hash function on this type of data has an effectiveness of am. 


paradox 


Bit 1 Bit 2 ... Bit n 


will : 
Block 1 a the same signature. The opponent is assured of success even 
Bleck? n the encryption key is not known. 


the dee hash code is used, the level of effort required is only on 


Block m 
The generatio 


Hash Code 


Fig. 3.12 Simple Hash Function Using Bitwise XOR oT 
A simple way to improve matters is to perform a one-bit circular shi! 
rotation, on the hash value after each block is processed. The procedure € 
‘summarized as follows — 


d 
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Dear Anthony, 


i i youto| JMr. P. 
zz to introduce fy a e Alfred }_! 


new chief i ; our 

Barton, the oe Ta [a jewellery buyer for {iu} 
European area will a ~ [the 
Northern { Europe } [aaa -He {res taken| OVer 4 __ 


all watches and Jewellery 
responsibility for {che whole ot} our interests in (pees and atcha 


afford| ,. every may need 
in the I: Please { give ) him lš a help he { needs } 


odern | ,. top 
" z Hie ost en = lines for the {ek} end of the 


wered š samples 
market. He is ana) to receive on our behalf Pesca of the 


latest watch and jewellery up limit 
ial woa and watch products, subject f t° 8 1|maximum 


car A ; letter 
of ten thousand dollars. He will { bold } a signed copy of this Mocs M 


. , ._ J appended 
as proof of identity. An order with his signature, which is ee | 


: above 
you to charge the cost to this company at the ) head office 


level 
address. We fem) expect that our Boet of orders will increase in 


authorizes 
allows 


i b 
e E year and fian that the new appointment will eat 


otis to both our companies. 


Fig. 3.13 A Letter in 227 Variations 


Q.22. Write short note on universal hashing. 


Ans. Definition — A randomized algorithm H for constructing hash 
functions h : U — {1, ....., M} is universal if for all x # y in U, we have 


_ 1 
A BG) =h(y)] SH 


We also say that a set H of hash functions is a universal hash p 
family if the procedure “choose h € H at random” is universal. (Here we à 
identifying the set of functions with the uniform distribution over the set). i 

Theorem — If H is universal, then for any set S c U of size N, for any x € i 
(e.g., that we might want to lookup), if we construct h at random according 


iz in Sis” 
H, the expected number of collisions between x and other elements in 5 
most N/M. 
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achy € S (y # x) has at most a 1/M chance of colliding with x 


| Wl iim of “universal”. So, 
r ihe defin Let, > 1 if x and y collide and 0 otherwise. 
. i 
n Let C, denote the total number of collisions for x So 
il “ene 
c “yes We know E|C, | = Pr(x and y collide) < 1/M, 
(iv) So, by linearity of expectation, E(C,) = ZE(C,,) < NMM. 


93, Write short note on cryptographic hash function. ` 

0. ae term hash function has been used in computer science from 
Ans. e time and it refers to a function that compresses a string of arbitrary 
¿e som tring of fixed length. However if it satisfies some additional 
then it can be used for cryptographic applications and then known 


irements, š 
require hic hash functions. 


as eryptograp ; . 
cryptographic hash functions are one of the most important tool in the 


id of cryptography and are used to achieve a number of security goals like 
sad is digital signatures, pseudo number generation, digital 
steganography, digital time stamping etc. 


0.24. What is message digest (MD) ? Explain. 


Ans, A message digest (MD) is a fingerprint or the summary ofa message. 
Itis similar to the concepts of Longitudinal Redundancy Check (LRC) or C 'yelic 
Redundancy Check (CRC). That is, it is used to verify the integrity of the data 
(ie. to ensure that a message has not been tampered with after it leaves the 
sender but before it reaches the receiver). Let us understand this with the help 
of an LRC example. 


Fig. 3.14 shows an example of LRC calculation at the sender’s end, As 
shown, a block of bits is organized in the form of a list (as rows) in the 
Longitudinal Redundancy Check (LRC). Here, for instance, if we want to send 
32 bits, we arrange them into a list of four (horizontal) rows. Then we count 
how many | bits occur in each of the 8 (vertical) columns. [If the number of Is 
in the column is odd, then we say that the column has odd parity (indicated by 
sib the shaded LRC row); otherwise if the number of Is in the column is 
For tet call It as even parity (indicated by a 0 bit in the shaded LRC row)]. 
i. dierf In the first column, we have two ls, indicating an even parity, 
for the eis have a 0 in the shaded LRC row for the first column. Similarly, 
we havea | is rie: we have three Is, indicating an odd parity, and “wana. 
tach column j © shaded LRC row for the last column. Thus, the parity bit for 
ccome the ñ; calculated and a new row of eight parity bits is created. These 
Singer pring Parity bits for the whole block. Thus, the LRC is actually a 
of the original messa 
ge. 
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Original Data 

11100100 11011101 00111001 00101001 ' 

UTU Original Data 

00111001 | Arranged as Rows 

00101001 of a List 

90101001 LRC 
11100100 11011101 00111001 00101001 | 00101001 | 
Original Data and LRC 


Fig. 3.14 Longitudinal Redundancy Check (LRC) 


The data along with the LRC is then sent to the receiver. The re 
separates the data block from the LRC block (shown shaded). It performs it 
own LRC on the data block alone. It then compares its LRC values with the 
ones received from the sender. If the two LRC values match, then the Teceiver 
has a reasonable confidence that the message sent by the 
sender has not been changed, while in transit. 


Celver 


We perform a hashing operation (or a message digest 1 
algorithm) over a block of data to produce its hash or 
message digest, which is smaller in size than the original 
message. This concept is shown in fig. 3.15. 


Actually, the message digests are not so small and 
straightforward to compute. Message digests usually 
consist of 128 or more bits. This means that the chance 
of any two message digests being the same is anything 
between 0 to at least 2128. The message digest length is 
chosen to be so long with a purpose. This ensures that 
the scope for two message digests being the same. 


Di 
Fig. 3.15 Message 
Digest Concept 


0.25. Explain Secure Hash Algorithm. 


Ans. The Secure Hash Algorithm (SHA) was developed by the National 
Institute of Standards and Technology (NIST) and published as a federal 
information processing standard (FIPS 180) in 1993. A revised version w 
issued as FIPS 180-1 in 1995 and is referred to as SHA-1. The actual standards 
document is entitled Secure Hash Standard. 


This standard specifies a SHA, which is necessary to ensure the securi 
of the Digital Signature Algorithm (DSA). When a message of any lent 
2% bits is input, the SHA produces a 160-bit output called a message dig 
The message digest is then input to the DSA, which computes the signa 
for the message. Signing the message digest rather than the message i 


we "s PAT 
ciency of the process, because the message dj 
ves an the message. The same message digest shou 
in" maller t sihe signature when the received version of t 
Me verifier HA. The SHA is called secure because it is 
by jnpu 

se eine 


gest is usually 
Id be obtained 
he message is 


designed to be 
infeasible to recover a message corresponding to a given 


ronal ot, or to find two different messages which produce the same 
c dige : Any change to a message In transit will, with a very high 
eg | el in a different message digest, and the signature will fail to 
a it SHA is based on principles similar to those used by Rivest when 
e p4 and is closely modelled after the algorithm. SHA produces 

ger than MD5. 


6 Explain secure hash algorithm (SHA-1), 
Q. o 


The SHA-1 algorithm takes as input a message with a maximum 
e less than 264 bits and produces as output a 160-bit message digest. 
' tis processed in 5 12-bit blocks. 


e ell! 


fength 
The inpu f 
The processing of a message consists of the following steps — 

(i) Append Padding Bits — The message is padded so that its length 
is congruent to 448 modulo 512 (length = 448 mod 512). Padding is always 
wed even if the message is already of the desired length. Thus, the number 
ean a bits is in the range of 1 to 512. The padding consists of a single 1- 
tit followed by the necessary number of 0-bits. 


(ii) Append Length — A block of 64 bits is appended to the message. 
This block is treated as an unsigned 64-bit integer (MSB first) and contains 
the length of the original message (before the padding). 


(iii) Initialize MD Buffer — A 160-bit buffer is used to hold 
intermediate and final results of the hash function. The buffer can be represented 
a five 32-bit registers (A, B, C, D, E). These registers are initialized to the 
following 32-bit integers (hexadecimal values) — 


A= 67452301 

B = EFCDAB89 

C = 98BADCFE 

D = 10325476 

E = C3D2E1F0 
i TS that the first four values are the same as those used in isa. 
his the Boe of SHA-1 , these values are stored in eA S 
Mitialization + : din the low-address byte gostiona 
ues, in hexadecimal, appear as follows 


It is 
loweye 


the 
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word A : 67 45 23 O Ya cv, 


Unit- Il! 143 
SHA-! can be summarized as follows — 


word B: EF CD AB 89 rhe pehaviow! 0 CV, = V 
word C :98 BA DC FE are CV 41 = SUMs; (CV, ABCDE, ) 
word D: 10 32 54 76 MD = CV, 


= Initial value of the ABCDE buffer, defined in step (iii). 
where _ The output of the last round of the q message block. 
ABC ie The number of blocks in the message (including padding and 


length fields ) 
= Addition modulo 232 performed separately on each word of the 
sUMs2 pair of inputs. 
message digest value. 


word E: C3 D2 El FO 


(iv) Process Message in 
§12-bit (16-word) Blocks- The heart 
of the algorithm is a module that 
consists of four rounds of processing 
of 20 steps each. The logic is shown 
in fig. 3.16. The four rounds has a 
similar structure, but cach uses a 
different primitive logical function, 
which we refer to as fj, J» fy, and 


i 


si | HAR 
f, K, W[20...39] 
20 steps 
MNAR 
f3, K, W[40...59] 
20 steps 
ah felh] 


"r: 
pensa 


MD = Final 

27, What do you understand by DSS ? With DSS because the value of 
, a nerated for each signature, even if the message is signed twice the 
Q £ res will differ. This is not true with RSA signatures what is the practical 
ane of this difference ? What are some threats associated with DSS ? 
imp (R.G P.V,, Dec. 2003, June 2004) 


Each round takes as input the 


current 512-bit block being processed Or 
(Y,) and the 160-bit buffer value Write short note on digital signature standard. (R.GP.V., Dec. 2007) 
ABCDE and updates the contents of Or K3 


the buffer. Each round also makes use 
of an additive constant K, where 0 <! 
<79 indicates one of the 80 steps across Note : Addition(4 
five rounds. In fact, only four distinct CVq+1 ismod RY 
constants are used. The values, in Fig, 3.16 SHA-I Processing of 
hexadecimal and decimal, are as Single 512-bit Block (SHA-I 
follows — Compression Function) 


Explain digital signature standards in brief. (R.GPV., June 2013) 


Ans. The National Institute of Standards and Technology (NIST) has 
published Federal Information Processing Standard FIPS 186, known as the 
Digital Signature Standard (DSS). The DSS makes use of the Secure Hash 
Algorithm (SHA) and presents a new digital signature technique the Digital 
Signature Algorithm (DSA). The DSS was originally proposed in 1991 and 
revised in 1993 in response to public feedback concerning the security of the 
scheme, An expanded version of the standard was issued as FIP 186-2 in 2000. 
ea iwan also incorporates digital signature algorithms based on RSA 

elliptic curve cryptography. 


aot is uses an algorithm which is designed to provide only the digital 
ieee function, Unlike RSA, it cannot be used for encryption or key 
ge. Neverthless it is a public-key technique. 


Th . 
l sho ° DSS approach for generating digital signatures to that used with RSA 


0313519 
20 <1< 39 
40 << 59 
6051579 


K, = 5A827999 
K, = 6ED9EBAI 
K, = 8FIBBCDC 
K, = CA62C1D6 [23° x 410] 
The output of the fourth round (80" step) is added to the input to the fi 


ri 


j) Wn in fi : n. 
pr ea - produce Wea The addition is done independently for a toa hash P In the RSA approach, the message to be signed is input 
using ad a, rat er with each of the corresponding words iñ f | s is then a: a secure hash code of fixed Sarak This a 

side Oth t Pted using the sender’s private key to form the signature. 

WT thom Messa : : <> 
output ale Pia ~ After all L 512-bit blocks have been processed en sage an i the signature are then transmitted. The recipient takes 
e L” stage is the 160-bit message digest. ME the g Produces a hash code. The recipient also decrypts the signature 


ender’s public-key. 
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(b) DSS Approach 
Fig. 3.17 Two Approaches to Digital Signatures 


If the calculated hash code matches the decrypted signature, the Signature 
is accepted as valid. Because only the sender knows the private key, only the 
sender could have produced a valid signature. 

The DSS approach also makes use of a hash function. The hash code is 
provided as input to a signature function along with random number k generated 
for this particular signature. The signature function also depends on the senden 
private key (KRa) and a set of parameters known to a group of communicating 
principles. We can consider this set to constitute a global public key (KU), 
The result is a signature consisting of two components, labeled s and r. 

At the receiving end, the hash code of the incoming message is generated. 
This plus the signature is input to a verification function. The verification 
function also depends on the global public key as well as the sender’s public 

key (KVa), which is paired with the sender’s private key. The output of the 
verification function is a value that is equal to the signature component r if the 
signature is valid. The signature function is such that only the sender with 
knowledge of the private key, could have produced the valid signature. 
Threats associated with DSS is that it is criticized for being — 
(i) Too secret 
(ii) Too new (yet not thoroughly analyzed) 
(iii) Too slow (10 to 40 times slower than RSA) 
(iv) Too insecure (fixed 512-bit key). ys 
In a subsequent revision, the fourth point was rendered moot when ke 
upto 1024 bits were allowed. 


in DSA 
[nstitute of Standards and Technology (NIST), proposed 


gh a chnolo; 
ati Algorithm (DSA) for use in their Digital Signature 
and verify a digital value called a signature, 


4 riant o 
the follo 
number 


wing parameters — 


S SA js 4 
f L bits Jong, when L ranges from 512 to 1024 and is a 


so prime 


A 64. I 
multiple a 60-bit prime factor of p: L 
me eel sg h is any number Jess than p — 1 such that 
an ¿< greater than 1. 

dp is gr 
1 sumber less than q. 
5 Sad 


d p. i 
ee we also makes use of a one way hash function, H(m). 
The ad specifies the secure has algorithm (SHA). 
“st three parameters p, q and g are public and can be common across 
The 


ork of users. The private key is x, the public key is y. 
anetw 


To sign a message m — 
(i) Alice generates a random number, k, less than q. 


(ii) Alice generates — 
r =(g* mod p) mod q. 
s =(k! (H (m) + xr)) mod q. 
The parameters r and s are her signature, she sends these to Bob. 
(iii) Bob verifies the signature by computing — 
W =s! mod q 
u, = (H (m) * W) mod q 
u, = (rw) mod q 
v = ((g"! *y"2) mod p) mod q. 
Ifv=r, then the signature is verified. 
Table 3.3 provides a summary. 


Table 3.3 DSA Signatures 


Public Key — 
P 512-bit to 1024-bit prime (can be shared among a group of users) 
1 160-bit prime factor of p — 1 (can be shared among a group of users) 
on ‘eal 4 mod p, where h is less than p — 1 and hP- mod p> | 
y= px ared among a group of users) 

Ë mod p (a p-bit number) 
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bai alate ¿sm 


( saq hiya lai aba el adhe ba h MR tele, À 


Private Key - 
x <q(a 160-bit number) 


Signing - 

k choose at random, less than q 

r (signature) = (pk mod p) mod q 

s (signature) = (k-! (H(m) + xr)) mod q 


Verifying - 

W =s! mod q 

u; = (H(m) * w) mod q 
u, = (rw) mod q 


v = ((g"""y"2 moda p) mod q 
If v = r, then the signature is verified, 
0.29. DSA specifies that if the signature generation Process 


value of S = 0, a new value of K should be generated and th 
Should be recalculated, why ? 


results ing 
e sip 
(R.GPY, Jc ey 
Ans. In DSA algorithm, at the signing end we compute 
r= (gk mod p) mod q 
s= [k-!(H(M) + xr)] mod q 
signature = (r, s) 
At the receiving end, for verification we compute 
w = (s! mod q 
u; = [H(M')w] mod q 
u> = (r') w mod q 


v = [(g'1y"2)mod p) mod q 
TEST: v=r 


If during the signing process, the value of s comes out to be zero, then a 
the receiving end, for verification. We compute w = (s')"! which results in 
w = 1/0= eo (infinite quantity) from which the computation of uj, uz and hence 
v is not possible and the scheme fails, 


Thus, if the signature generation process results in a value of s = 0, a neW 
value of k should be generated, so that a new s results with a non-zero value 
ana the computation of w, u; uz and v becomes possible. 


0.30. What is the difference between digital signatures and aig 
certificates ? (R.GRV., June 20 


. . ` us 
Ans. In digital signature, a hash function such as SHA-I or MD5 Caen 


a unique fingerprint of the portion of data to be signed. This fingerprint !5 


MIE TE Fae 
ze than the message, it is irreversible and any change to the 


h maller a mismatch with the fingerprint (also called digest) with his 
ue ë a inib what is called the digital signature, The signature js 
gala o 


ot ' 0 g message, and ssi ae a fo the recipient, The latter then 
p a ed 10 Asante itself and uses the same hash function to obtain his or her 
ig the me ngerprint. The user cxtracts the encrypted digest and use the 
afi (he ee to decrypt it. Both results are compared, and the match 
ye w re the message was received as sent. Digital signature provide 
y confirm rivacy, non repudiation and integrity in the virtual world, We 
puthen ae tures or secure messaging, online banking applications, online 
vod digita ‘plications, e-tendering, supply chain management, etc, 
workflow S riial are digital documents attesting to the binding of a public 
Di dividual or specific entity. They allow verification of the claim that 
a 


ey 10 ‘fic public key does in fact belong to a specific individual, Digital 
ane help prevent someone from using a phone key to impersonate 
cert 


, else. Digital certificates are the main structured piece commonly 
ne and processed throughout a PKI. Using the digital signature, an 
ate will add its weight to the authenticity of an identity by signing 
ale information and the user’s public key into a certificate. The result 
see essence saying “I guarantee that this particular public key is associated 
with this particular user, trust me!” If that trust is not broken or weak, the 
certificate will be the preferred way to make one’s public key available for 
correspondents (and others) and have it irrefutably linked to the identity 
information contained therein. 


0.31. What is idea behind certification authority hierarchy ? 
(R.GP.V., June 2014) 
Ans. Suppose John has received Mike’s digital certificate and he wants to 
verify it. It means that John needs to de-sign the certificate using the certification 
authority public key. But how does John knows what’s the certification authority 
public key. One possibility is that the certification authority of John and Mike is 
“me. In such a case, there is no problem. However, this cannot always be 
. Insucha case, how can John obtain the public key of the certification 
e i resolve such problems, a certification authority hierarchy is created. 
shows that atl O iy hierarchy is also known as the chain of trust. Fig. 3.18 
certificati all the certification authorities are grouped into multiple levels of a 
'on authority hierarchy. The certification authority hierarchy starts with 
re ania authority. The root certification authority contains one or 
authorities a Certification authorities. Each of the second level certification 
can have lowe i One or more third level certification authorities, which in tum 

T tevel certification authorities and so on. 


© root 
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, P[n], the ciphertext block C[1], ....., C[n], and the 


sin 
be bele, mJ. Then specify | 
geneween We y= Al @ AD] ® ..... ® A[k] 
ey ee x: cryptanalysis is to search an effective linear equation of 
imo 
ner Per , a] ® C[B;, Bz eee > By] = K[y,, Yn Sisse Yel 


<a,b <n, 1 <c Sm, and where the c, B and y denotes fixed 
which catches with probability p # 0.5. The further p is 


. . = 0 ris 
: . š , : pore % jons ; 

Fig. 3.18 CA Hierarchy Pa e bit pe e fective the equation. Once a proposed relation is determined, 
T TAR fom 05 ei to calculate A mate ane Ferit side of the preceding 
CRYPTANALYSIS SIINE NENO rR DE-OFF ATT Pal procefor a large number O° p aah a ir pa De sesulbis 
DIFFERENTIAL CRYPTANALYS!5, RE CHANNEL ayy, | 47, pan half the time, con (es fay r oe es 
AUTHENTICATION SYSTEM LIKE KERBEROS “Ü | z" consider Kl,» Y2 ~~~ Yel = 1 This Provides us a linear equation on 
f ofthe ti x Try to achieve more this type of relations so that we can solve for 


0 
the key bi ‘The problem can be approached one round of the cipher at a time, 

the key oe its combined because we are dealing with linear equations. 
wilh the @ Differential Cryptanalysis — Differential cryptanalysis is one of 
ost significant advances in cryptanalysis in recent years. Until 1990, 
7 m tial cryptanalysis was not reported in the open literature. The first 
of el effort appears to have been the cryptanalysis of a block cipher known 
sor by Murphy [MURP90]. This was followed by a multiple papers by 
aa and Shamir, who demonstrated this form of attack on a variety of 
hms and hash functions. Their results are described in 


encryption algorit ns 
BIHA93. For this method, the most publicized results have been those that 
have application to DES. Differential cryptanalysis is the first published attack 


which is capable of decomposing DES in less than 255 complexity. The 
technique, as reported in BIHA93 can successfully cryptanalyze DES with an 
effort on the order of 247, requiring 247 selected plaintexts. However, 2%” is 
certainly significantly less than 255. The requirement to search 2%” selected 
plaintexts makes this attack of only theoretical interest. However, differential 
cryptanalysis is a powerful tool. It does not do very well against data encryption 
standard. According to a member of the IBM team that designed DES, the 
tause is that differential cryptanalysis was known to the team as early as 1974. 
ie Psa to strengthen data encryption standard (DES) against attacks 
and i erential cryptanalysis played a large part in the design of the S-boxes 
these hi P. As evidence of the impact of these changes, assume 
Sites: results described in BIHA93. Only 256 selected plaintexts 
while, an atta anid cryptanalysis of an eight-round LUCIFER algorithm, 
Dilie on an eight-round version of DES needs 2" selected plaintext 
bcomplex Stan Cryptanalysis Attack — The differential cryptanalysis attack 
° With a change in notation for data encryption standard. Assume 


0.32. Define the term cryptanalysis. Explain linear and differen 
cryptanalysis. (R.GP.v, Mey 2 ` 

Ans. Cryptanalysis — Cryptanalysis is the technique of decoding fies ) 
from a non-readable format back to readable format without kn owing 5 
they were initially converted from readable format to non-readable format i 
other words, it is like breaking a code. This is shown in fig. 3.19. i 


This is a Book on 
Network and 
Internet Security 


R#S %*&"m,:p0- 
$89!@"%SjhnlO0 
-5557 


Unreadable Message Readable Message 


This process is 
Trial-and-error 
Based 


Fig. 3.19 Cryptanalysis 


: (i) Linear Cryptanalysis — This attack is based on determining linet 
approximations to define the transformations done in data encryption standard 
For differential cryptanalysis, this procedure may search a data encryption 
standard key provided 247 known plaintexts than 247 selected plaintext 
However, this is a minor improvement, because it can be more simple to acquit 
known plaintext as compared to selected plaintext, it still leaves linen! 

tl et bg infeasible as an attack on data encryption standard. To validat 
The see donee method, small task has been performed by other ane 
with n-bi rd ii linear cryptanalysis is based as follows — For? op j 

it plaintext and ciphertext blocks and an m-bit key, let the plainte’ 
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the real plaintext block m to consist of two halves Mo m,. Eq 
maps the nght-hand input into the left-hand output, and sets the 


Cryptanalysis 
Attacks 


Fig. 3.20 Cryptanalysis Attacks 


hertext-only Attack — In a ciphertext-only attack, Eve has 
ly some ciphertext. She tries to find the corresponding key and the 

to only assumption is that Eve knows the algorithm and can intercept 
pintext. m The ciphertext-only attack is the most probable one because 
h the ciphertext for this attack. To thwart the decryption of a 

pre nee byan a dversary, a cipher must be very resisting to this type of attack. 


fig 3.21 shows the process. 
ü Eve LJ 


Á š Tou oy 
one new 32-bit block is created at each round. When each ney nd. H Ce by 
V block m Oy 


17) is labeled, then the intermediate message halves are related as Biven i 


m, = m; , © fim, Ko, i=1 tw 

In differential cryptanalysis, begin with two messa m 

known XOR difference Am = m @ m', and assume the d 
intermediate message halves — 


Am, =m © mj 


Ama =m, © m'a 
= [m © fim; KJ e [m e f(m',, K) 
= Am, , © [fim K) © fm, K) 
Now. assume that a several pairs of inputs to f with the same diff, 
ee EE I eren 

provide the same output difference when the same subkey is employed. T, z 
this more precisely, let us say that X can cause Y with probability p, li 
2 fraction p of the pairs in which the input XOR is X, the output XOR ass 
Y. Suppose that. there are a number of values of X which have high probability 
of causing a specific output difference. Hence, when Am; _, and Am; are know 
with hich probability, then Am_, is known with high probability. In addition, 
when 2 number of such differences are determined, it is feasible to determine 
the subkey employed in the function f. The whole procedure of differential 
cryptanalysis is based on these considerations for a single round. The procedure 
is to start with two plaintext messages m and m' with a provided difference 
and trace through a probable pattern of differences after each round to provide 
a probable difference for the ciphertext. For two 32-bit halves (Am,, || Amg, 
there are two probable differences. Next, mand m' are submitted for encryption 
to determine the actual difference under the unknown key and compare the 
result to the probable difference. When there is a match, 


E,(m) © Ex(m') = (Am,, || Ami) 
then suspected that all the probable pattems at all the intermediate rounds 4 


correct. Some deductions about the key bits can be made with that assumption 
To determine all the key bits, this method must be repeated a lot of times. 


Q.33. Discuss the various types of attacks. 
ua June 2015] 
Discuss the various types of cryptanalysis attacks. (R.G F. K, ; 


i hown! 
Ans. There are four common types of cryptanalysis attacks, aS ° 
fig. 3.20. ' 


ges m nied : teen, ' 16, 


ifference between? G) CiP 


Then 


Alice 


Fig. 3.21 Ciphertext-only Attack 
Various methods can be used in ciphertext-only attack. We mention some 
common ones here. 


(a) Brute-force Attack — In the brute-force method or 
ehaustive-key-search method, Eve tries to use all possible keys. We assume 
that Eve knows the algorithm and knows the key domain (the list of all possible 
keys). Using the intercepted cipher, Eve decrypts the ciphertext with every 
possible key until the plaintext makes sense. Using brute-force attack was a 
difficult task in the past; it is easier today using a computer. To prevent this 
"eof attack, the number of possible keys must be very large. 
ihe (b) Statistical Attack — The cryptanalyst can benefit from some 
For ae ‘sp Cteristics of the plaintext language to launch a statistical attack. 
English net we know that the letter E is the most-frequently used letter in 
td assume m cryptanalyst finds the mostly-used character in the ciphertext 
Pirs, the i at the corresponding plaintext character is E. After finding a few 

is type hfe yst can find the key and use it to decrypt the message. To prevent 

Mack, the cipher should hide the characteristics of the language. 


(c) Pattern Attack — Some ciphers may hide the characteristics 


Ofthe la 
"guage, but may create some patterns in the ciphertext. A cryptanalyst 
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may use a pattern attack to break the cipher. Therefo 
ciphers that make the ciphertext look as random as p 

(ii) Known-plaintext Attack —\na Known 
access to some plaintextciphertext pairs in addition 
that she wants to break, as shown in fig. 3.22. 


re, it is j 
Ossible, 
-Plaintext 
: a 
i intercepteg e, A 
iPhe 


m 
po Nan, to 
ig 


ha 
Mey 


Previous Pair 


Fig. 3.22 Known-plaintext Attack 

The plaintext/ciphertext pairs have been collected ear 
has sent a secret message to Bob, but she has later ma 
message public. Eve has kept both the ciphertext and the 
break the next secret message from Alice to Bob, 


lier. For exam 
de the 


Ice has p 


ts ofany previous 
(iti) Chosen-plaintext Attack — The chosen 
to the known-plaintext attack, but the plaintext/ci 
chosen by the attacker herself. Fig. 3.23 shows the 
Pair Created from 
Chosen Plaintext 


Messages, 
-Plaintext attack is Similar 
phertext pairs have been 
Process. 


| 


I 


Fig. 3.23 Chosen-plaintext Attack te 
This can happen, for example, if Eve has access to Alice’s computer. rf 
can choose some plaintext and intercept the created ciphertext. Of are 
does not have the key because the key is normally embedded in the = jë 
used by the sender. This type of attack is much easier to implement, 
much less likely to happen. 


wi 
ye 
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- hertext Attack — The chosen-ciphertext attack is 
-c'i m t attack, except that Eve chooses some ciphertext 
e re SRi pair. This can happen if Eve has 
pepi 3.24 shows the process. 


Pair Created from 
Chosen Plaintext 


decYP™ ss compu 


Alice 


= 
B ciphertext 


Fig. 3.24 Chosen-ciphertext Attack 


i ote on brute-force attacks. 
034. Z Sas (R.GP.V., Dec. 2003, June 2004, May 2018) 


Ans, Refer to Q.33 (i) (a). 


; i define types of cryptanalytic attacks based on 
5. List and briefly 
Be pnt to the attacker. (R.GP.V., May 2019) 
Wi 


Ans. Refer to Q.33. 


0.36. Brief overview of time-memory tradeoff (TMTO) attacks. 

Ans. Time-memory Tradeoff (TMTO) attacks on stream ciphers are a 
serious security threat and the resistance to this class of attacks is an important 
criterion in the design of a modern stream cipher. TMTO attacks are especially 
effective against stream ciphers where a variant of the TMTO attack can make 
use of multiple data to reduce the off-line and the on-line time complexities of 
the attack (given a fixed amount of memory). 


We start with the basic TMTO attack of Hellman. Let f : (0, 1, 
> {0,1 


“Processing phase of the attack consists of constructing several 
nstruct each table, the attacker chooses m random starting points, 
ind from each Starting point x she computes the chain SP = x, f(x), f2(x) = 
BI) ang (x)= EP, as shown in fig. 3.25 (where f is the function the attacker 


tres to invert). The pairs (EP, SP) are stored in a table. The attacker constructs 
'such tables T 


Modifica. Oe T, each for a different function f; that is usually a sli ght 
p Oe of the original f (€.g., a permutation of the bits). In the on-line 
ist Othe attack, the attacker is given z = f(y) and has to find y. For all 0 < 


~l, she applies f, repeatedly to f.(y) (that can be easily computed given 


lables. To co 
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fiy)) to get the sequence f(y). F509). ----- f(y), for each new Value 


checks whether the obtained value 
be table T.. Ifa 


- š 
pa end pomi m 


b. ° X? a _ 
valar opeass as an end point m f 

oo = - w e—— een 
the attacker takes the i ; 


š 
the table. tD 


- in a Ty e—V 
comesponding Starting pomi and R ——. 
ores; F stat ; i , 
apples £ sequestzily. until f{y) is 5 a 
reached. The point encountered 1e emea 
past before f (y) ts indeed y. Fig. 3.25 Constructing Hellma 
J AS e 


The time complexity of the attack is t? applications of fanda 
zocesses, and the memory required for the attack is mt. Since the tab] data 
cover most of the N possible states. we have N = mt?, and eae i og 
the traåeoff curve obtzined for this attack. The time complexity Mi 


=g phase is N, but as we noted before, this phase is usualy nege 


proprocessia spe 
in the analysis of TMTO attacks. 
0.37. What was Kerberos designed for ? Explain the architect, 
g (R.GP.V, Dec. 2003, June 2094, y 
Or 
What are Kerberos ? Write the working principle of Kerberos. 
(R-GPV., May/June 200% 


Or 
What are Kerberos designed for ? Explain operation of Kerberos, 
(R.GF.V, Dec, 200 
Or 


What is Kerberos ? How does Kerberos work ? (R.GPV, June 2013, 2014 


Ans. An authentication service used by many real systems is Kerberos 
which is based on 2 variant of Needham-Schroeder. It is named for: 
multiheaded dog in Greek Mythology that used to guard the entrance to Hads 
(presumably to keep undesirables out). Kerberos was designed at M.LT. t: 
allow workstation users to access network resources in a secure way. Its biggest 
difference with Needham-Schroeder is its assumption that all clocks are fairly- 
well synchronized. i 

The problem that Kerberos addresses is — Assume an open distributed 
environment in which users at workstations wish to access services on serves 
distributed throughout the network. We would like for servers to be able to resti 
access to authorized users and to be able to authenticate requests for service. 9 
this environment, workstation cannot be trusted to identifi y its users correctly” 
network services. In particular, the following three threats exist — 


(i) A user may gain access to a particular workstation and preted 
to be another user operating from that workstation. . . 


y 
, M. qy 20 It 
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alter the network address of a workstation so that 
ek ser ie altered workstation appear to come from the 
(U from 

cent à 
š on. 
workstall eavesdrop on exchanges and use a replay attack to 


ji) A user er or to disrupt operations. 
a ser an unauthorized user may be able to gain access to 
y 0 I she is not authorized to access. Rather than building 
pm” gata that he a tocol at each server, Kerberos provides a centralized 
kë authentication ¿ias si is to authenticate users to servers and servers 


ce to 
4 tan ese case 


pore er whose . z . 
pi” scanons s= other authentication schemes, Kerberos relies exclusively 
i ynlike mO tion, making no use of public key encryption. 
= © se kerberos are in common use. Version-4 is still widely 
ae versions a some of the security deficiencies of version and has 

version-5 ai d Intemet Standard (RFC 1510). Fig. 3.26 shows the 
b asa propose 
ani of Ke ros 2. AS verifies user's access right in 
i database, creates ticket-granting ticket 

and session key. Results are enerypted 
using key derived from user's password. 
sE Kerberos 
D: 
session uthentication 
1. User logs on to server (AS) 
workstation and 
requests service 
on bost 
server (TGS) 
N Once po 4. TGS decrypts ticket and 

' h type o authenticator, verifies request, 

porera then creates ticket for requested 

password and server. 

ases password to 

#enpt incoming 6.Server verifies that 
message, then ticket and authenticator 
airy vin match, then grants access 
maa enticator to service. If mutual 
perenne, Once per authentication is required, 
wiwak, ad service session server returns an 

ad time to Tce authenticator. 


5, ferkstation Sends 
anda 
taba uthenticator 


Fig. 3.26-Overview of Kerberos’ 
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Kerberos involves three servers in addition to Alice 
as shown in fig. 3.27. 


a Client Work 


Stay: 
Nyy 


Log in 


Get a 
ticket 


5 
— Kp (A, Kap) Ky Rd 


Fig. 3.27 The Operation of Kerberos V4 


Do 


Work 


(i) Authentication Server (AS) — The AS Verifies users during] 
. : ng lopi 

(ti) Ticket-generating Server (T GS) — The TGS issues “ a 

identity tickets”. Proof of 
(iii) Bob the Server — The server actually does the work that Ajj 

Ice 


wants to perform. 


AS is similar to a KDC in that it shares a secret Password with every y 
The TGS’s job is to issue tickets that can convince the real servers es 
bearer of a TGS ticket really is who he or she claims to be. i 


To start a session, Alice sits down at an arbitrary public workstation and 
types her name. The workstation sends her name to the AS in plaintext a 
shown in fig. 3.27. A session key and a ticket, Kigs (A,K, ), comes back from 
the AS, intended for the TGS. These items are packaged together and encrypted 
using Alice’s secret key, so that only Alice can decrypt them. Only when 
message 2 armves does the workstation asks for Alice’s password. The password 
is then used to generate K , in order to decrypt message 2 and obtain the session 
key and TGS ticket inside it. At this point, the workstation overwrites Alice's 
password to make sure that it is only inside the workstation for a few 
milliseconds at most. If Trudy tries logging in as Alice, the password she types 


will be wrong and the workstation will detect this because the standard pat of 


message 2 will be incorrect. 

After she logs in, Alice may tell the workstation that she wants to ern 
Bob the file server. The workstation then sends message 3 to the TGS 85 ' 
for a ticket to use with Bob. The key element in this request is Kras (A, 
which is encrypted with the TGS’s secret key and used as proof that a eel 
really is Alice. The TGS responds by creating a session key, Kap: for 
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ns of it are sent back. The first is encrypted with only 


versio . 4 > 

ab, Two ver econd is encrypted with Bob’s key, Kn, so Bob 
yet vine can read it. The s B 
° I 
KS jit sage 3 and try to use it again, but she will be failed by 

nre? opy mes ith it. Trud l 

a pdy can € stamp, t, sent along with it. Trudy cannot replace the 

neryPte ae recent one, because she does not know K,, the session 
ie “amp with a ik to the TGS. Even if Trudy replays message 3 quickly, all 
jimes fice uses 10 note copy of message 4 which she could not decrypt the first 
key sll get js anot ble to decrypt the second time either. 


; bea 

will not : 4 A š š 

ime i Alice can send Kap to Bob to establish a session with him. This 
V 


tamped. The response is proof to Alice that she is actually 


cover of PAB message 3 to the TGS, only now specifying C instead of B. 
A aS vill promptly respond : 
The Carol and that Carol will accept as proof that it came from Alice. 
ae lice can access servers all over the network in a secure way and her 

el a has to go over the network. In fact, it only had to be in her own 
one afc a few milliseconds. However, it is noted that each server does its 
poires When Alice presents her ticket to Bob, this merely proves to 
a w. a sent it. Precisely What Alice is allowed to do is up to Bob. 

Since the Kerberos designers did not expect the entire world to trust a single 
authentication server, they made provision for having multiple realms, each with 
itsown AS and TGS. To get a ticket for a server in a distant realm, Alice would 
ask her own TGS for a ticket accepted by the TGS in the distant realm. If the 
distant TGS has registered with the local TGS, the local TGS will give Alice a 
ticket valid at the distant TGS. She can then do business over there, such as 
getting tickets for servers in that realm. However, it is also noted that for parties 
in two realms to do business, each one must trust the other’s TGS. 


0.38. Explain the concept of Kerberos. How is it useful ? 
(R.GP.V., May 2019) 
Ans, Refer to Q.37. 


n ' What entities constitute a full Kerberos environment and what is 
i (R.G P.V,, June 2008, Dec. 2008) 
What entiti $ Or . 
tes contitutes a full service Kerberos environments ? 
(R.GP.V., Dec. 2011, June 2017) 


-service Kerberos environment consisting of a Kerberos server, 
ents, and a number of application servers requires the following- 


Ans. A full 
Tofelj 
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(1) The Kertercs server riist have the 
password of all participating tiers iri ita data Frasa 
the Kerberos server 


ised ffy (Sty à 
AN users are leita 


u 
aa 


(ii) The Kerberos server rust share a $e 


fof key With 
All servers are registered with the Kerberos server, "Cath ty 


Such an environrnent is referred to as a teal, 

O49. In the context of Ketheros, what is realm TG pby Ie 
Vi June 

Ans, Refer to 0.39, thlg, 


0.41. What do you mean hy Kerheros? Compare tt wiih Nita ¢ 


lenat 
(RAEV, June x w 
Ans. Kerberos ~ Refer to Q.37, ) 


Comparison between Kerberos and Digital Signature — 


It is an authentication protocol. 
It is based on symmetric 
cryptography. 

Its operation is as follows — A 
client requests a ticket for a 
ticket-granting service from 
Kerberos. This ticket is sent to 
the client, encrypted in the client’s 
secret key. To use a particular server, 
the client requests a ticket for that 
server from the ticket-granting 
service. The client then presents 
this ticket to the server along with 
an authenticator. If there is nothing 
wrong with the client’s credentials, 
the server lets the client have access 
to the service, 


It is also an authentication method 
We cannot use a secret (symmetric) 
key to both sign and verify a signature 
Its operation is as follows _ The 
sender uses a Signing algorithm to 
sign the message. The message and 
the signature are sent to the receiver, 
The receiver receives the message 
and the signature and applies the 
verifying algorithm to the - 
combination. 


0.42. Briefly describe the motivation Sor Kerberos scheme. 
Or 
Justify suitability of Kerberos Sor online real time applications. I 
(R.G P.V, Dec. 2099) 


Ans. If a set of users is provided with dedicated personal computers i 
have no network connections, then a user’s resources and files can be pr Ji a 
by physically securing each personal computer. When these users le stem 
served by a centralized time sharing system, the time-sharing operating SY 


IN 19 


e SPINA NY EJAAN. Mere RATAA 14 4 Aire oto 

got UAUA wrt WORKMAN (zÀ 664) and A istrikto 
d « 

Tn thia EIROA, (hres 4970656 te wares Y Can bs 


, ionic ty on cach individual chert workstation to assure the identity 
) hill rely on cach server to enforce 4 security polieg based 
of it we ification (SD). ; 
on oser ider pequíre that client systerns authenticate themeeleves to servers, 
(i!) I fi nt systern Concerning the identity of its user, 
but trust He i si vire the user to prove identity for each service invoked. Alay 
, i aes: prove their identity to clients, 
rege tha IÍ closed environment, in which all systems are owned, and 
» | aih gle organization, the first or perhaps the second strategy may 
operated DY 4 a more open environment, in which network connections to 
suffice. But In a supported, the third approach is needed to protect user 
a ain s resources housed at the server, This third a pproach is supported 
aise Kerberos assumes a distributed client/server architecture and 
a mae more Kerberos servers to provide an authentication service, 


0.43. What are the requirements of Kerberos ? 

f Or 
What four requirements were defined for Kerberos ? Explain. 

(R.G P.V,, Dec. 2011) 
Ans. The following are the requirements for Kerberos — 


(D Secure — A network eavesdropper should not be able to obtain 
the necessary information to impersonate a user. More generally, Kerberos should 
be strong enough that a potential opponent does not find it to be the weak link. 

(ii) Reliable — For all services that rely on Kerberos for access control, 
lack of availability of the Kerberos service means lack of availability of the 
Supported services, Hence, Kerberos should be highly reliable and should employ 
a distributed Server architecture, with one system able to back up another. 

(iii) Transparent — Ideally, the user should not be aware that 
ation is taking place, beyond the requirement to enter a password. 
numbe (iv) Scalable — The sysem should be capable of supporting large 
rsof clients and servers. This suggests a modular distributed architecture. 
trusted thee ne requirements, the overall scheme of Kerberos is that 4 : 
Proposed b “Party authentication service that uses a protocol based °. t I 
Servers ing, “edham-Schroeder, It is trusted in the sense that clients an 
: Kerberos to.mediate their mutual authentication. _, - 


authentic 
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O.44. Differentiate between Kerberos 


are the shortcomings of Kerberos version 
Kerberos version $ 2 


Version 4 ar 
4? How 


a Yersio , 


1 
are they oy, tie, Mh 
te i 

h 


Or 


What are the Principal differences between version 


Š i 4 and yo, 
Kerberos ? (R.GRM, Dec. 2006 rsio So 
Or ' Zune 20 12 
Differentiate Kerberos version 4 and 5. 


(R.GPy 
Or hk, June 2009) 


Give the differences between version 4 and version 5 of K. 
e 


rberos 
. (R.GRY, June 29) 
Ans, Differences between Versions 4 and Š — Version 5 is i 4 
address the limitations of version 4 in two areas — environmental ne asan 
and technical deficiencies. rtcomins 


Version 4 of Kerberos was developed for use within the Project 4 
environment and accordingly, did not fully address the ne hen 


t J f ed to be of gener] 
purpose, This led to the following environmental shortcomings, ` 


G) Encryption System Dependence — Version 4 requires the Use of 
DES. Export restriction of DES as well as doubts about the Strength of Drs 
are thus of concem. In version 5, ciphertext is tagged with an encryption yp 
identifier so that any encryption technique may be used. Encryption keys ar 
tagged with a type and a length, allowing the same key to be used in different 


algonthms and allowing the specification of different variations on a given 
algorithm. 


(ii) Internet Protocol Dependence — Version 4 requires the use of 
Internet Protocol (IP) addresses. Other address types, such as the ISO network 
address, are not accommodated. Version 5 network addresses are tagged with 
type and length, allowing any network address type to be used. 


(tii) Message Byte Ordering — In version 4, the sender of a message 
employs a byte ordering of its own choosing and tags the message to indicate 
least significant byte in lowest address or most significant byte in lowest address. 
This technique works but does not follow established conventions. In version 
5, all message structures are defined using Abstract Syntax Notation One 
(ASN.1) and Basic Encoding Rules (BER), which provide an unambiguous 
byte ordering. f 

(iv) Ticket Lifetime — Lifetime values in version 4 are encoded “in 
8-bit quantity in units of five minutes. Thus, the maximum lifetime that ae 
expressed is 28 x 5 = 1280 minutes, or a little over 21 hours. ener 
inadequate for some applications. In version 5, tickets include an explic! 

time and end time, allowing tickets with arbitrary lifetimes. 
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. ion Forwarding — Version 4 does not allow 

tiee to be forwarded to some other host and used by 
n C ability would enable a client to access a server and 
a 


her server on behalf of the client. Version 5 provides 
1 


(9 Auth 
° fi S 
„ntials is t, This cap 


access anol 


lity Authentication — In version 4, interoperability among 
vi) Interreali’ order of N2 Kerberos-to-Kerberos relationships. 
1 1 ` - 

s requires ee that requires fewer relationships. 

5 suppor ® environmental deficiencies, there are technical defici- 
m these 


i ienci listed as follows — 
i tocol itself. The deficiencies are 
version 4 pro 


a ption — Often tickets provided to clients are 

ape ae key of the target server and then again 

' ee n the client. The second encryption is not necessary 

cae oe call wasteful. | 

PCBC Encryption — Encryption in version 4 makes use of a 

de of DES known as propagating block chaining (PCBC). It 

tandard mo trated that this mode is vulnerable to an attack involving the 

n ape ws hertext blocks. PCBC was intended to provide an integrity 

interchange A pe encryption operation. Version 5 provides explicit integrity 
ree allowing the standard CBC mode to be used for encryption. 


with a S 
and is compu 
(ii) 
nons 
has bee 


(iii) Session Keys — Each ticket includes a session key that is used by 
the client to encrypt the authenticator sent to the service associated with that 
ticket. In addition, the session key may subsequently be used by the client and 
the server to protect messages passed during that session. However, because the 
same ticket may be used repeatedly to gain service from a particular server, there 
ithe nsk that an opponent will replay messages from on old session to the client 
or the server. In version 5, it is possible for a client and server to negotiate a 
subsession key, which is to be used only for that one connection. A new access 
by the client world results in the use of a new subsession key. 


(iv) Password Attacks — Both versions are vulnerable to a password 
attack. The message from the AS to the client includes material encrypted 
witha key based on the client’s password. An opponent can capture this message 
= eee to decrypt it by trying various passwords. If the result of a test 
ee a Proper form, then the opponent has discovered the client’s 
Kerberos V may subsequently use ıt to gain authentication credentials from 
` “sion Š does provide a mechanism known as preauthentication, 


Which sh 
A" ould make password attacks more difficult, but it does not prevent them. 
45. Wri z 
Write any two difference between Kerberos 4 and Kerberos 5. 


Ans. Refer to Q.44. (R.GP.V, June 2016) 
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2-46. What are the advantages of K erberos ? 
Ans. The advantages of Kerberos are as follows 


(i) A user’s password is not 
. l ë sent on the wi i 
ciphertext) during session initiation. ve (either in Plaint 


`. ` sx 
(ii) Kerberos provides crypto k 
Sl g 


Each service access request is mediate hi 
identity of the user/client is authenticated by the Kerbero = knows, at 
the user/client request encrypted with the ClienUTGS se oe 
(iii) As each ticket has a lim 
Cryptanalytic attacks cannot be launched. 


(iv) Kerberos assumes that the clocks across all the 
servers are synchronized. A host responds back only if the re 
have timestamp value close to the current time at the host 


graphic protection ann. 
d by the TGS, whigs 


Clients and 
e 
quest Message, 


(v) Kerberos provides mutual authentication. The TGS 
respectively get access to the Client/TGS Session key and the C 
session key only after they can decrypt the messages containin 
with their appropriate secret keys. The client u 
authenticate the servers. 


and SS cay 
lient/Serye 


I 8 these ke 
ses this approach to indirect 


0.47. What are the weaknesses of Kerberos ? 
Ans. The weaknesses of Kerberos are as follows — 

(i) Kerberos requires continuous availability of a trusted ticket. 

granting server for all access control and authentication checks. 

(ii) Authenticity of servers requires a trusted relationship between 

the TGS and every service server. 

(iii) Timely transactions are required to reduce chances of a user 
with genuine ticket being denied service. 

(iv) Password guessing could still work to get the valid secret key 
for a user. The whole system is still dependent on the user password. 

(v) Kerberos does not scale well as the number of service serversi 
increased. The TGS has to maintain a trustworthy relationship and maintain 
the secret key for each SS. Adding backup service servers further complicats 
the situation. 

(vi) Network services cannot be accessed without obtaining e 
authentication. All applications run by the users in the network need to 


through Kerberos authentication. š 


e” 


SECURITY — THREATS IN NETWORKS, 
INFORMATI RTTY CONTROLS, ARCHITECTURE, WIRELESS. 


Nwo NRITY, HONEY POTS, TRAFFIC FLOW SECURITY 


iti isti i ion. How are the 
¿pe the critical characteristics of information yy 
are ? (R.GP.V., June 2017) 


used in Or 


i basic principles of information security. 
Eee á (R.GP.V., June 2008, 2015) 
Or 


What are the key principles of security ? 
Or 


(R.GP.V., Dec. 2008, 2009) 


Explain the following — 
(i) Confidentiality (ii) Integrity (iii) Availability. 
(R.GP.V., June 2011) 

Ans. Network security problems can be divided roughly into four closely 
intertwined areas — secrecy, authentication, non-repudiation and integrity 
control. Secrecy, also called confidentiality, has to do with keeping information 
outofthe hands of unauthorized users. Authentication deals with determining 
whom you are talking to before revealing sensitive information or entering 
into a business deal. Non-repudiation deals with signatures — How do you 
Prove that your customer really placed an electronic order for ten million left- 
rt doohickeys at 89 cents each when he later claims the price was 69 
sm hat r maybe he claims he never placed any order. Finally how can you be 
that a fal message you received was really the one sent and not something 

'clous adversary modified in transit or concocted ? 
more, — four chief issues (principles) of security. There are two 
ntrol and availability. 


edi . s: I 
ifferent security principles are discussed below — 


tly thes Confi dentiality — The principle of confidentiality specifies that 
erand the intended recipient(s) should be able to access the conte” 
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of a message. Confidentiality gets compromised if an un 


j % ha authoriz, <, — When the data of a message are changed after the 
able to access a message. Example of compromising the confide, PO Gü) Integr!) fore it reaches the intended recipient, we say that the 
message is shown in fig. 4.1. In this figure, the user ofA sends an "Wain, Ç: sends it. but be is lost. For example, suppose you write a check for 
B. Another user C gets access to this message, which is not desired, Saey, è andet S fahe pa bought from the US. However, when you see your 


" eeotity © e goo : 
ir O pay for yas a you are started to see that the check resulted in a 
punt state 


sxt 2006 00. This is the case for loss of message integrity. Conceptually, 
"2 tof $100 a 4.3. Here, user C tampers with a message orginally sent 
pean wn oe pesos destined for user B. User C somehow manages to 
en „whic its contents, and send the changed message to user B. User B 
byt” i change! ing that the contents of the message were changed after 


ST of knowl É É 
w nt it. User A also does not know about this change. This type of 
ad se 


k js known as modification. 
KIS 
sae 


[`] Ideal route of the message 
E= 


z = ee i Se & 
defeats the purpose of confidentiality. Example of this could hea theres. ° 
email message seat by A to B. which is accessed by C Without the confida, 
knowledge of A and B. This type of attack is known as intercep tion 


Fig. 4.1 Loss of Confidentiality 


Interception causes loss of message confidentiality. Te 
(Œ) Authentication — Authentication mechanisms help to esteblish pag toD 


of idexities. The achentication process ensures that the origin of a ¢ s 
messege or document is corectly identified For instance, suppose thet meç 
seuds an electronic document over the Internet to user B. However, the difins, 
E tit user C kes posed as user A when he sent this document to user B, Ex 
would user B imow that the message has come from user C, who is posing 2s tsz 
A? A ral Efe exemple of this could be the case of a user C, posing zs usa t. 
sending 2 funds transfer request (from A’s account to C’s account) to bank B.Te 
bank migz happily transfer the funds from A's account to C’s account - afer al 
EÉ would think Éz user A has requested for the funds transfer. This conog 5 
shown m fig 42. This type of attack is known as fabrication. 


Fig. 4.3 Loss of Integrity 
Modification causes loss of message integrity. 


(iv) Non-repudiation — There may situations where a user sends a 
ness2ge, and later on refuses that he had sent that message. For example, user 
A could send a funds transfer request to bank B over the Internet. After the 
tenk performs the funds transfer as per A’s instructions, a could claim that he 
sever sent the funds transfer instruction to the bank. Thus, A repudiates, or 
denies, his funds transfer instruction. The principle of non-repudiation defeats 


> possibilities of denying instructions, once sent. This is shown in 
12 4.4, 


I never sent that message, 
which you claim to have 


N Fig. 4.4 Establishing Non-repudiation 
im Of Pudiation does not allow the sender of a message to refute the 
Not Sending that message. 


Vig, 4.2 Absence of Authentication a 
Fabrication is possible in absence of proper authentication mechas” | 
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@) Access Control — The Principle of a 
who should be able to access what. For example, 
can view the records in a database, but 
might be allowed to make updates as well. An access cont le U 
be used to ensure this. Access control is related to two ae Te Pani 
and rule management, Role management concentrates on th < 
user can do what), whereas Tule management focuses on a Whi 
(which resource is accessible, and under what circumstances "CSOUurces ba 
decisions taken here, an access control matrix is prepared PA Tas on ` 
against a list of items they can access (e.g., it can Say that use lists th User, 
file X, but can only update files Y and Z FA can wri 
subset of an access control matrix. 


ccess contro) ' 
WE can 5 cci rp) 
1 l 
cannot update them, H fY that yu 


). An Access Control Lise ri aD. b 
isa 


Access control specifies and controls who can access What 

(vi) Availability — The Principle of availability 

(i.e., information) should be ava 
example, due to the intentional actions of another unauthor 
authorized user A may not be able to contact a server com 


fig. 4.5. This would defeat the principle of availability. 
known as interruption. 


Says that Teso 


ilable to authorized parties a ww 


tall times. For 
ized user C, an 
puter B, as Shown in 


This type Of attack js 


Fig. 4.5 Attack on Availability 
Interruption puts the availability of resources in danger. 


0.2. Why is confidentiality an’ important principle of security ? 


(R.G P.V., June 2014) | 


Ans. Refer to Q.1 (i). 

Q.3. Define the terms integrity, confidentiality, 
authentication. 

Ans. Integrity — Refer to Q.1 (iii). 

Confidentiality— Refer to Q. (i). vw ves weet 


denial of service and 
(R.GP.u, May 20 
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S may slow down or totally interrupt the service 
em can be used by attackers to achieve this. He 
= quests to a server that the server crashes due to 


rvice — 
of Se 
penal% cveral strate 


Cc >, 
an OF may intercept and delete a server’s response to a 
c 


stem: 
of 3 vi too M 


a . A f 

my ae load. T hea ient to believe that the server is not responding. The 
he he culling int rcept requests from the clients, leading the clients to 
cet r may also ae and overload the system. 

Ke ra 
a quests seve 1 (ii). 
ú hentication — Refer to Q.1 (ii) 

u ; 9? 

À at io etwork security ¿ f f 

Q4 he ¿tv is a continuous process of protecting an object from attack, 

Ans. nisi 1 a person, an organization like a business, or property like 

p object may a a file. When we consider a computer system, for example, 
a computer system s the security of all its resources like its physical hardware 


its security oper printers, the CPU, the monitors, and others. In addition 

ponent e UR it also stores non-physical resources like data and 
to its physical cate to be protected. In a distributed computer system like a 
information tha tection covers physical and non-physical resources that make 
network si iaio communication channels and connectors like modems, 
sa ias: and servers, as well as the files stored on those servers. 
TE in each of these cases, security means preventing unauthorized access 
use, alteration, and theft or physical damage to these resources. 


> 


0.5. Explain various types of software threats in detail. 
(R.GP.V., June 2010, 2015) 
Or 
What are the types of malware (malicious software) ? Briefly explain 
each of them. (R.GP.V., June 2005, Dec. 2005, 2006, 2008) 
Ans. Fig. 4.6 shows an overall taxonomy of software threats, or malicious 
programs. These threats can be divided into two categories — those that need a 
host program, and those that are independent. The former are essentially 
fragments of Programs that cannot exist independently of some actual 
or system program. The latter are self-contained 
led and run by the Operating system. 


Malicious 
“| Programs 
Needs Host 
Program 


application Program, utility, 
Programs that can be schedu 


Independent 


Fi Replicate : 
8 4.6 Taxonom y of Malicious Programs — nh 
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Trap Doors — A trap door is 
allows someone that is a 2 ; a 
through the usual sete ee access. ORF 

ou access procedures, Tr w 
legitimately for many years by programmers tod 
is done when the programmer is developing 
authentication procedure, or a long setup, requiri 
different values to run the application. To debu 
May wish to gain special privileges or to avoid 
authentication. The programmer may also w 
of activating the program should somethin 
Procedure that is being built into the 
recognizes some speci 
certain user ID or by 


a secret entry Point into 


Se Ca 
Application. The trap dog a n lati 
al sequence of input or is tri ito ' 


| ggered b 
an unlikely sequence of ever 


Y bei © thay 
nts, "8 run from 
Trap doors become threats when the 


‘ d j y. are used y unscru 

programmers to gain unauthorized access. It is difficult to implem Pulong 

system controls for trap doors. Ent ope ting 
Logic Bomb — The logic bomb is cod 


e embedded in s 
conditions are m 
a logic bomb ar 
f the week or date, or a particu] 
ed, a bomb may alter or delete ihi 


some other damage. 
Trojan Horses — A Trojan horse is a 


containing hidden code that, when invok 
harmful function. 


program that is set to explode when certain 
conditions that can be used as triggers for 
absence of certain files, a particular day o 
user running the application. When trigger 
or entire files, cause a machine halt, or do 


ome legitimate 
et. Examples of 
€ the presence y 


program or command Procedure 
ed, performs some unwanted or 


Trojan horse programs can be used to acc 
that an unauthorized user could not accomplish directly. For example, to gain 
access to the files of another user on a shared system, a user could createa 
Trojan horse program that, when executed, changed the invoking user’s file 
permissions so that the files are readable by any user. The author could then 


induce users to run the program by placing it in a common directory and naming 
it such that it appears to be a useful utility. 


Zombie — A zombie is a program that secretly takes over another m 
attached computer and then uses that computer to launch attacks that are S 
to trace to the zombie’s creator. Zombies are used in denial-of-service oe 
against targeted Web sites. The zombie is planted on hundreds ete 
belonging to unsuspecting third parties, and then used to overwhe a 
Web site by launching an overwhelming onslaught of Internet tra : pr 

Virus — A virus is a program that can infect other programs al 
them. The modification includes a copy of the virus program, W ' 
go to infect other programs. 


omplish functions indirectly 
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, are tiny scraps of genetic code — DNA or RNA — that 
ruses ery of a living cell and trick it into making thousands 
: ie original virus. Like its biological counterpart, a 

jess f€ I in its instructional code the recipe for making perfect 
of pe virus cart! d in a host computer, the typical virus takes temporary 
wom! itself. meen disk operating system. Then, whenever the infected 
copies f he compi tact with an uninfected piece of software, a fresh 
ont or comes into ses into the new program. Thus, the infection can be 
co the virus pon to computer by unsuspecting users who either swap 
aP rom aunts to one another over a network. In a network 
sp send Patt to access applications and system services on other 
ides a perfect culture for the spread of a virus. 


: v 
pilosa ma 
ake over 
at 


environment <. 
ro ç ° e 
uters P A worm is a program that can replicate itself and send copies 
Worm re to computer across network connections. Upon arrival, the 
from a en activated to replicate and propagate again. In addition to 
worm g the worm performs some unwanted functions. An e-mail virus 
propagator the characteristics of a worm, because it propagates itself from 
has e system. However, we can still classify it as a virus because it needs 
tem ú 
oe to move it forward. 


0.6. What is worm ? What is the significant differences between a worm ' 
au (R.GP.V, June 2014) af 
a Or I 
Differentiate between viruses and worms. (R.GP.V., June 2016) 
Ans. Refer to Q.5. 


Q.7. What is the difference between passive and active Security threats ? 


(R.GP.V., June 2013) 
Or 


Why are some attacks called as passive ? Why are other attacks called 
active ? 


(R.G P.V., June 2014) 


f Ans. Passive Attacks — A passive attack attempts to learn or make use of 
information from the System but does not affe 
thatthe goal of the o 


that threaten confi 


ct system resources. It means 
Pponent is to obtain information. Passive attacks are those 
wasapa dentiality — snooping and traffic analysis. The revealing of 
insa edet may harm the sender or receiver of the message, but the system 
sender ¢ ed. That is why, it is difficult to find this kind of attack until the 
"receiver finds out about the leaking of confidential information. 


Acti F 
tino Ne Attacks -An active attack may change system resources or affect 
. Operation. Active attacks are those th 


Clive attac at threaten integrity and availability. 


are easi 
an launch then sier to detect compared to prevent, because an attacker 


1 In a number of ways. 
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0.8. What are the differences bety, 
f Ans. Threat — A potential for violati 
is a circumstance, capability, action, or event tl 
cause harm. That is, a threat is a possible danger i Could br 
Attack — An assault on System security Eek 


threat; that is, an intelligent act that is a deliberat 
security services and violate the Security policy ie ik 
a sy 


Q.9. Describe the model of network security 


Ans. Fig. 4.7 shows the model for network securi 
sent from one party to another across some sort afi ba SSsage jg 
involved in this transaction, must cooperate for the e a me n 
information channel is established by defi sions 
from source to destination and by the co 
protocols by the two Principals (parties), 


Trusted Third Party 
(e.g. arbiter, distributer 
of secret information) 
Security-related 


Sender Transformation 


een threat and atta k 
` Š , 
on of Security, Which exi 


N Sẹ 
exploita 


N intep; | 

er e] 
NPI to €Vade lige 
stem. sln 


9 pani 
ge to occy Ni 
ning a route through the 188 

nte 


operative use of commun; Me 
Cation 


Security-related 
Transformation R 


Secure ecipien 


Message 


Secret I 
Information Opponent 


Secret 
Information 


Fig. 4.7 Network Security Model 
I Security aspects are important when it is necessary or desirable to Protect 
the information transmission from an opponent who may present a threat to 
confidentiality, authenticity, and so on. The techniques for providing security 
have two components — 

(i) A security-related transformation on the information to be 
transferred. Examples are the encryption of the message, and the addition ofa 
code based on the contents of the message. 

(ü) Some secret information shared by the two principals m 
expected, unknown to the opponent. For example, an encryption key m 
conjunction with the transformation to scramble the message >€ 
transmission and unscramble it on reception. 

A trusted third party may be required to get sec 
instance, a third party may be responsible for distributing 
to the two principals while keeping it from any opponent. 
be required to arbitrate disputes between the two principa 
authenticity of a message transmission. 


ure transmission. For 
the secret informatio 
Ora third party may 
Is conceming 
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.. general model, there are four basic tasks in designing a 
to this 8° 
thm for performing the security-related 


vice — i 
ori 
paa Id be such that an opponent cannot defeat 


orithm shou 


i ion to be used with the algorithm. 

se: nerate the secret information j : x. ! 
(il) oe thods for the distribution and sharing of the secret information. 
iii) Findme 1 to be used by the two principals that makes 


rotoco . 
ecify a P d the secret information to get a particular 


(iv) >P; algorithm an 


various security mechanism to achieve security goals ? 
ty mechanism to achieve security goals are — 


Encipherment— Encipherment can provide confidentiality. It can 
lement other mechanisms to provide other services. Today, 
be used to ya d for enciphering — cryptography and steganography. 
— ta Integrity — The data integrity mechanism appends to the 
o a that has been created by a specific process from the 
H and the checkvalue are received by the receiver. From the 
: ee te receiver creates a new checkvalue and compares the newly 
ane checkvalue with the one received. The integrity of data has been 
en if the two checkvalues are same. 
š (iii) Digital Signature — A digital signature is a means by which the 
sender can electronically sign the data and the receiver can electronically verify 
the signature. The sender uses a process that involves showing the she owns a 
private key related to the public key that she has announced publicly. The 
receiver uses the sender’s public key to prove that the message is indeed signed 
by the sender who claims to have sent the message. 


(iv) Authentication Exchange — In authentication exchange, two 
entities exchange some messages to prove their identity to each other. For 


example, one entity can prove that she knows a secret that only she is supposed 
to know, 


() 
wo! 


data a S 
data itsel 


.  @) Routing Control — Routing control means selecting and 
ze uously changing different available routes between the sender and the 
'ver to prevent the opponent from eaves dropping on a particular route. 


ñaaa nakon — Notarization means selecting a third trusted party 
repudiation, toe between two entities. This can be done to prevent 
inorder to iaia Pya can involve a trusted party to store the sender request 

e sender from later denying that she has made such a request. 


i) Access Control — Access control uses methods to prove that a 


Wer h (vi 
t has access ri 
ess right to the data or resources owned by a system. 
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Curity 
Q.11. With a Proper diagram, b ¿s Confidentiality — There are two types of 
kasus Categorization of various a ine Om the taxo on racks 1” pelen ia of information — snooping ne 
Ans. Security G ; curity attacks whit, 72 ;) Al the confide 
: : Oals — Fj tile regy;-. Curi () |) eaten i 
Integrity and availability. 4-8 shows three Security goa] ‘UIRE thes which a Snooping means to "asw ya aie oe x 
; ` als~ e c ing — d through the Interne 
(i) Confidentiality — Cc ; nig (a) Sno instance, 4 file transferre w intercept the 
information Security. It i i onfidentiality is the mo . n of data: For tion. An unauthorized person may be made 
A anioe - It 1S required to Protect our confi St co On ag eption ntial informa tents for his own benefit. The data can 
Cquires to protect against Identia} inform confide use the con e by using encipherment techniques to prevent 
ation 1 


those malicious action 
the confidentiality of 


s that endanger 


its information, Encipherment of data may make it 


eee nal sis _ 
In the military concealment of sensitive (b) Traffic "es an however, he can get some other type 
information is very crucial. ‘sible for the online traffic. For example, he can get the Se 
i itoring ; irs of requests an 
In industry, concealment of information from -4 ation b "a or the receiver. He can collect pairs q 
the operation of the organization. In banking custo petitors is n s of the sees guess the nature of transaction. 
be kept secret. rs accounts requ ses to hep ity — The integrity of data can be 


tacks TI hreatening Integr 


(ii) Integrity — Information s (ii) A = 
customer deposits or withdraws sila a In banking, Wheng | ,hreatened by the antes end attacker alters the information to make 
be chan ged. Integrity requires that chan ges need to be Pate requires t (a) space meee a or accessing information. For example, 
entities and through authorized mechanisms. It is not nea i by authorized beneficial to himself a j to a bank to perform some transaction. The attacker 
violation is the result of a malicious act. An interruption in ike i vointei ses sends a oa au alters the mode of transaction to benefit himself. 
power failure, may also create undesired changes in some interna Hea La nee uerading — It occurs when the attacker impersonates 

(iii) Availability — It is required that the information created Ha | ois ek an attacker may steal the bank card and PIN of a 
by an organization be available to authorized person. Inf ad sanebody © 5 l 


bank customer and pretend that he is that customer. Also the attacker pretends 
instead to be the receiver entity. For example, a user attempts to contact a 
bank, but another site pretends that it is the bank and get some important 
information from the user. 

(c) Replaying — The attacker gets a copy of a message sent by a 
user and later attempts to replay it. For instance, a person sends a request to his 
bank to ask for payment to the attacker, who has done a job for him. The 


allacker intercepts the message and sends it again to get another payment from 
the bank, 


ee . À š ‘ormation changes 
constantly, which means it must be accessible to authorized person. The 


unavailability of information is just as dangerous for an organization as the 
lack of confidentiality or integrity. 


Attacks — Three security goals — confidentiality, integrity, and availability 
~ can be threatened by security attacks, Fig. 4.9 shows the taxonomy of security 
attacks, 


Security 
Attacks 


f — (d) Repudiation — It is performed by one of the two parties 

“ws in the communication — the sender or the receiver. The sender of the 

sasa may later deny that he has sent the message. The receiver of the 
£c may later deny that he has received the message. 


'Traffle 
Analysis 


Threat to 


Availability A . i 
i a asking him bank to send some money to a third party 
š ing that he h : : 
Threat to { as made such a request is an example of denial b 
Confidentiality € sender, Wh q p y 


electronically bu à Person buys a product from a manufacturer and pays for it 
asks to be ut the manufacturer later denies having received the payment 
Paid is an example of denial by the receiver. 


Threat to Integrity 
Fig. 4.9 Taxonomy of Attacks with Relation to Se 


curity Goals 
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i (iii) Attacks Three 7 
"a: Denial of Service (DoS) ng Availabitiry ne š message's sending and receiving addresses 
, ` ` N Pea ` ` , a gs 
le bs ofa System Several str Dos MAY slow dow ;neryptio o | f 
AY send too m: ` rategies CAN be ge roti i) Ë ++ 1o appear busy at all times or much of the 
tt Many bopus y € used] MI ( 8) ; appear busy 
le heavy load The aa Mean eduests 10.0 ser io kerg p Mte Ñi esse ng the circuit to ap 
Client, reg `. C attacker may int, ea That the aa. O ne LI eS) Causi ric f s. 
ataka O ting in the client to bien and delete ë ave crap "e y (i) a dummy ae encrypted signal, whether or not traffic is 
`T may also inter “Ve that the a Servery roo Sd sent ‘ng a con š king or link encryption. 
send requec,. CTCCpt requests f Server jg CSPop, "e EDY? y gending E ieo called masking . f 
requests several times and a on ine Client isn `spondi ° j ed This is A180 ¢ aspect of communications security. 
> š “road the I , R.’ ns ity is one as 
0.12. Expla; € System B the w; g security , 
“Plain the Concept of honey lien Hm i 10 FIREWALLS | 
š IPO (R.Q p. y, Dec, 24 Ls— DESIGN AND TYPES OF r | 
Ip . , . 20) (— 
re short note on honeypot r 03, June) % | FIREWAL pERSONAL FIREWALLS, IDS 
2 n 
(R.GRY. De P 
` > Dec. 2006, Ju, | , i Il guards corporate networks? 
š » June 20 I alls ? How Firewall g Ë 
What is honey-pot ? a 08, Dec, 2008 gilt What are the firew (R.GP.V., June 2013) 
Ans, A rclativ (R. ; 
atively recent in : GPV, j Or 
the À novation in : un 
iris honeypot Honeypots are decoy ie oo detection tech e 200 ) „short note on firewalls. (R.GP.V., June 2017) 
cker away from critica}: Systems, Honeypots ar designed to lureg es is prite $ wall defines a single choke point that keeps unauthorized users 
(i) Divert an attacker from access re designed to — Cntial Ans. gine network, prohibits potentially vulnerable services from 
(ii) Collect information about t ing critical System out of the ae the network, and provides protection from various kinds of 
wis ne attac °. sng or lea ; è . š . 
__ (iii) Ene ourage the attacker to u kers activity. cater and routing attacks. The use of a single choke point simplifies 
administrators to respond y on the system long enough ¢ IP spo 
š 0 
These systems 


ity management because security capabilities are consolidated ona single 
securi 
system or set of systems. | | 

A firewall works just as a sentry. The implementation of a firewall guards 
corporate network by standing between the network and the outside world. 
Alluaffic between the network and the Internet must pass through the firewall 


l depends on firewall that the traffic should be allowed to flow or not 
Fig. 4.10 shows this. 


e network, administrators 
can observe their behaviour in detail and figure out defenses. 


Q.13. Write short note on traffic flow security. 


Ans. Traffic-flow security is the use of measures that conceal the sage 
and properties of valid messages on a network to prevent traffic e 
can be done by operational procedures or by the protection r 
features inherent in some cryptographic equipment. Techniques used i 
(i) Changing radio callsigns frequently 


Network Backbone 


SECS Of a good firewall impi 
P em 
Ans. The followin capabiliti “i 
s; š 
ofa firewall — 8 capabilities (or characteristic = 


(i) Afi S) are p; n 
i Irewall defines a <; 

I a single c] i 
“tt out of the Protected network, net ih 
rom entering or leaving the network, a a : a 
kinds of IP Spoofing and routing "°x 
Simplifies Security 


management be 
i c 
On a single system 


that aren 
maps lo 


(R.GP V, June 2006, Dec. 2008) 


f (RGP V, June 2005, Dec. 2005) 
e design goals o 


G) All tra r design principles of fi 


rewall — 
through the firewall. Thi 
local network ex 


(ii) Only authori ; 
firewalls are ae w orized traffic will be allowed to 


ne hich implement various types of se 
(iii) The firewall itself is immu 


use of a trusted System with a secure ope 


.17. ; 
Q What are the two main attacks on corporate networks ? 


(R.GP.V., June 2014) 
Ans. The two main attacks on corporate networks are as follows — 
(i) Most Corporations contain huge amount of valuable and 
confidential data in their networks. Leaking of this c 
competitors can be a great setback. 
(ii) There is a gr 
corporate network to crea 


Pass. Various types of 
curity policies. 


ne to penetration. This implies that 
rating system. 


Titical information to 


eat danger of the outside elements ent 


ering a 
te havoc, 


` 


progt 


Š 
for the 
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imitations of a firewall? (R.GP.V., June 2014) 


ing limitations — 
the following limi 
par a 1) does not protect against internal threats, such asa 
nee an employee who unwillingly cooperates with an 
ployee 


wall cannot protect against the transfer of virus-infected 
(ii) The ue se of the variety of operating systems and applications 
ams or files. pean it would be impractical and perhaps impossible 
orted inside the ee all incoming files, e-mail, and messages for viruses. 
Tepe te wl cannot protect against attacks that bypass the 
(iii 


ial- ility to connect to an ISP. 
s may have dial-out capabi I nec IS 
few g aes a modem pool that provides dial-in capability 
. nelle employees and telecommuters. i 
or tra 


0.19 What are the various functions of firewall ? ` 
a Or 
.GP.V., June 2011) 
Explain the functionality of firewalls. (R.G 
Ans. The main functions of a firewall are as follows — 


(i) Access Control — A firewall filter incoming as ve s. eee 
ackets. A firewall is said to be configured with a sual 
EE packets are to be allowed and which are to 


. T) 
: Address Translation (NA 
(ii) Address/Port Translation — H asas. aai H A S 
i i s ote 

was initially devised to alleviate the ane syst as administrators on their internal 
set of private addresses that could be RA Pab ciy sccessible machines wi thin an 
networks but that are globally invali is may nothaye publie Ittemetu esses 
ance e oie sible to conceal the addressing schema of these 
owes ine ate eae the use of NAT. Through NAT, internal 
muuchines from the outside world oe ee establish a connection with external 
machines, though not visible on the ee done by-firewalls. 
ee gene security architecture will eel ina 
i ai “E i a encounters at least one — esa ye ¿wes 
“Aqa abet pigaied Be or flows for later study. These ie "apa Aw 
log all anomalous pene together with various worm an j 

for studying attempts da tion, Caching, etc. — Some types of SAE me 

(iv) Ahem machines attempting to establish a connec ion | 
authentication of externa ialtype of firewall calleda Web proxy authentica es 
aninternal machine: At access an external service. Such a firewall is also 
tin 
internal users attemp 


requested webpages. This results in decreased response 
used to cache frequently saving communication bandwidth. 
hile 


time to the client W 
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e translated into a set of rules that comprise an Access 
ies ar 


, tis the use of firewall ? Explai 
0.20. What is th f fi p en trewall desi n Dri g level policies hes the action to be taken asa function of — 
A Ne; igh- ec! 
Ans. Use of Firewall — Refer to Q.19. GRy, Ma “la He; L A rule kama source IP address and port number 
a 


I List 
20n, contre À The p 


¿y The packet’s i 
i The transport protocol in use 
Wl . 


Firewall Design Principles — Refer to Q.16. destination IP address and port number 


0.21. List four techniques used by firewalls to control acce 
S. 


a security policy. (R.GP P pa enfor ine pack et’s direction — incoming or outgoing. 
Ans. The four techniques that firewalls use to contro] acon: i 201) (iv) -- general, be either permissive or restrictive. A permissive 
the site’s security policy are as follows — and Enor policies Ca sae nei those that are explicitly forbidden. A restrictive 
: : ac e š : 
(i) Service Control — The firewall may filter traffic on th policy permit "w awa except those that are explicitly permitted. The ACL in 
IP addresses, TCP, UDP, port numbers, and DNS and FTP Protocols; € basis a| policy drop al ah arestrictive policy — the default action 1s Deny as expressed 
to providing proxy software that receives and interprets each š a m additio table 4.1 wee rules are scanned top to bottom. As soon as a Tule is found 
before passing it on. ICE Tequey in rules p a packet’s attributes (IP addresses, port numbers, etc.) the action 
sept sas loss es 
Gi) Direction Control — Where Permission for traffi that gon is taken and no further rules are processed for that packet. 


c flow j, | in that ru 


determined from the direction of the requests. Table 4.1 Example Access Control List 


(iti) User Control — Where access is granted based on which use; 
attempting to access the internal protected network; may also b 
incoming traffic. © used on 


(iv) Behaviour Control — In which access is granted based on how 


particular services are used, for example, filtering email to eliminate spam Allow requests for or- 4 


Q.22. Discuss policies and access control li ganization’s webpages ; 
roll : : 
of services. ists for access to var IOUS types it | Allow DNS queries : i 
Ans. High-] iat š . j Allow incoming VPN 
within an se i for access to various types of services are formulated traffic 
n or campus. Examples of these include the following - Forbid all other 


incoming traffic 


(i) All received e-mail should be filtered for spam and viruses. 
(ii) All HTTP requests by external clients for access to authorized PE 
ow requests for 


pages of the organization’s website should be permitted ii | apa 
. external we pages 


Pusa: ss s inlays should be allowed to remotely Forbid all other out- 
internal machines. However, all such co ication should i ing tra 
be authenticated and encrypted. ae — 


Gay DNS que, ade sy ckteenal aie rol is more important in security ? 
provided they pertain to addresses of the organization's null a ae wae ail ee 
Services such as the Web server or the external e-mail Server. How = ueries 
related to the IP addresses of internal machines should not be Unene 

(v) Only two types of outgoing traffic are itled, Fj an 
mail from within the organization to the outside world lees TE 
requests emanating from within the organization for exte 
permitted. However, requests for pages from certain “inap 
should be denied. 


trol is a security technique that can be used to regulate 
Ans. Access contr e resources in a computing environment. 


w iew or us ; . 
ho or what can v in types of access control — physical and logical. Physical 
There are two ma to campuses, buildings, rooms and physical IT assets. 


Permitted, Second, | , imits access 
° | Acc | limits @ : i 
mal abodes a ess contro | limits connections to computer networks, system 


Propriate” Websites 


Logical access contro 
files and data. 


a 
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0.24. Explain various types of firewalls, 
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_ ce IP address, destination 
k packet — sour 
in anetwor 


IP protocol field 
tained ina” n transport-level address, IP p 
Or mation con and destinatio 
c 
What are some weaknesses of a Packet-filtering yo ter p es ae up as a list of rules based on rean pi 
application level gateway and circuit level gateway ? Whar; J he interac filter js typically a à a match to one of the rules, that a 
(R.GP.V, Dec. 2003 Jur The packet TCP header. If a ard or discard the packet. If there va 
ies rw la 
Ans. Fig. 4.11 shows the three common types of firewalls oa 4, 20 n the y or ine whether ane A cen, Two default policies are possit ; 
application-level gateways, and circuit-level gateways, ct fiten to nie then DAT ‘a haalii tout expressly paste 
an iscard — 


J 


(a) Packet-filtering Router 


Application-level 
Gateway 


Outside 
Connection E 


Inside 
Connection 


Inside Host 


(5) Application-leve] Gateway 


Circuit-leve] 


Gateway 
Outside 


Connection 


Stuy Ga) 
Outside Host 
QHO 


Inside Host 
(c) Circuit-level Gateway ene 


Fig. 4.11 Three Types of Firewalls 


(G) Packet-filtering Router — A packet fi 


4.11 (a), applies a set of rules to each incoming IP p 


discards the packet. The router is typically confi 
n both directions (from and to the internal netwo 


i 


Itering router shown in fig: 
acket and then forwards or 
gured to filter packets going 
rk). Filtering rules are based 


(a) Default = 


e 


is permitted. 


ar i iti y ever ything 
The defa 


is. This policy is 
-by-case basis. T 
: dded on a case hindrance. 
es must be addec ewall as a hin 
iş blocked, and who are more likely to see S aa ati ean 
cat visible to te scheme increases ease of use or raa AN 
The default n essence, the security administrator 
curity. Ç: 
reduced se 


: wn. .. i 
: s it becomes kno a Mee, ache 
security threat a ~~ packet-filtering router is its simplicity. 
One advantage 


fast. 
filters are transparent to users and are very tese. Some of the weaknesses 
ee ome wea . 
ing router also has s 
Packet-filtering T 


i ter are as follows — i spider 
er 4 ba packet filter firewalls do not examine upper-lay 
(a) Beca 


: sation-specific vulnerabilities 
loy application-speciic ' Taloa 
t attacks that emp p 
data, they cannot pomi a packet filter firewall cannot bia sateen 
ae aa all facie available within that app ate Kekal 
commands so that a f the limited information aval x. sie ret 
Because 0 Ils is limited. 

the logging ents present in 


packet filter see ae 
in the same information used tom 
logs normally contain 
i (c) Because ofthe lack of upper 


ort advan š 
most packet filter firewalls do not supp vulnerable to attacks and exploits that 


(d) They are g? m TCP/IP specification and protocol stack, 
wl 
take advantage of problems 


s spoofing t in which the 
such as network layer gaia cannot detect a network packet in w 
ire 
Many packet filter 


ified. Spoofing attacks are 
:n g information has Looe ee cae 
OSI Layer 3 eae ntruders to bypass 
ed by 

“pss a ñaqa II number of variables used in access 
mua firswall piet due to sma ceptible to security breach 

(e) pio ee firewalls are suscep es 

Po acket !! 

control decisions, P 


layer functionality of the firewall, 
ced user authentication policies. 


(669 CamScanner 


ay? 


182 Cryptography & Information Security 


Gen 
Ma 
j sags Sc} 
(ii) Application-level Gateway — An application-leve} a Nem 
known asa proxy server, acts as a relay of application-level traffic as sil 


fig. 4.11 (b). The user contacts the gateway using a TCP/IP applica; Wn i 
as Telnet or FTP, and the gateway asks the user for the name of the x lon, Such 
to be accessed. When the user responds and inputs a valid as Choy 
authentication information, the gateway contacts the application on k 

host and relays TCP segments containing the application data between Temotg 
endpoints. If the gateway does not implement the proxy code for ' the w 
application, the service is not supported and cannot be forwarded ace 
firewall. Further, the gateway can be configured to support only specific > the 
of an application that the network administrator considers acceptab| “ature 
denying all other features. © While 


Application-level gateways tend to be more secure than packet fj 
Rather than trying to deal with the numerous possible combinations fe 
be allowed and forbidden at the TCP and IP level, the application ley 
need only scrutinize a few allowable applications. In addition, it is 
and audit all incoming traffic at the application level. 


lters, 
are to 
el gateway 
easy to log 


A prime disadvantage of the application-level gateway is the additional 
processing overhead on each connection. In effect, there are two liei 
connections between the end users, with the gateway at the splice point, and 
the gateway must examine and forward all traffic in both directions. ; 


(iii) Circuit-level Gateway — A third type of the firewall is the circuit. 
level gateway shown in fig. 4.11 (c). Itcan be a stand 
a “sisa function performed by an application-level gateway for certain 
app'ications. A circuit-level gateway does not allow an end-to-end TCP 
Snes Rather, the gateway sets up two TCP connections, one between 

an a TCP user on an inner host and other between itself and a TCP user 
on an outside host. Once the two connections are established, the gateway 
typically relays TCP segments form one connection to other without examining 


the contents, The security functi I Wa 
š ° ction consists of determini i i 
will be allowed. ng which connections 


-alone system or it can be 


A typical use of circuit-level gateway is a situation in which the system 
administrator trusts the internal users. The gateway can be conf; o d d rt 
application-level or proxy service on inbound connections ae tis Soppe I 
functions for outbound connections. In this configuration i a 
incur the processing overhead of examining incoming aby li ~ gateway ea 
forbidden functions but does not incur that overhead on outgoing data for 

ala. 
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May 2019 
wall and its types ° (R.G P. V, l fay )) 


is fire 
25. hat ee and Q.24. 


in. Draw a 
{ns peter tO all ? List the type of ‘firewalls and explain 
ae r , 


sed as a firewalls. 


ire i teru 
026. par iS a packet filtering ron (R.GP.V, June 2016) 
jc diag i 
pema! 
d Q.24. 
go 2015 
AnS. Refer t0 siete packet filters. (R.GP.V., June ) 
Iri $. 
27. write a ; 
Refer to Q.24 (i). Eorann bi 


i application level ga 
0.28. What ts the role of app on 


n application level gateway. (R.GPF.V., Dec. 2011) 


note 0 
Write short 
of application level gateway. (R. GP. V, June 2012) 


lain the working 


Ans. Refer to Q.24 (ii) o 
it gateway different from application gateway. 


0.29. How is a circu (R.GP.V, June 2013) 


Ans. Refer to Q.24 (ii) and (iii). | | 
es of a packet filtering router ? Discuss its 

(R.GP.V., June 2012) 
solution. 


Ans. Weakness of a Packet Filtering Router — Refer to Q.24 (i). | 
l g routers and the corresponding 


0.30. What are the weakness 


Some of the attacks on packet-filterin 

countermeasures are as follows — 

(i) IP Address Spoofing — An intruder can send packets from = 

outside with a source IP address field containing an pea of AA 
user. This attack can be defeated by discarding packets with an ın 


: interface. 
address if the packet arrives on an external inte | | 
ss ting Attacks— The source station can specify the route 
OD Se s along the Internet, in the hopes that this will 


it move pes $ ` 
that a packet should take as 1t mo E T A A 


; that do : š 
s eae d by discarding all packets that use this option. 
ack ca eae ment Attacks — The IP fragmentation option is used 
(iii) Tiny Fr 


bythe; mall fragments and force the TCP header information 
by the intruder to create s ent. The attacker hopes that only the first fragment 
Into a separate packet ance and the remaining fragments are not checked. 
is checked by the | by discarding all packets where the protocol type 
This attack can be defea Scala 


is TCP and the IP fragme” 
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ñ: 


g 
Q.31. What is bastion h 


Ost ? List some Common 
bastion host. 


hara, 
Ct rise, 
Or t A 
Explain bastion host, (R 
` . . .G d 
Ans. A bastion host is a System identified bY the fire ay, 0 
a critical strong point in the network's Security, Typi ally, it all admin Str; É 
foran application-level or Circuit-level Baleway, Ç Shines p ap 
bastion host are as follows — Shara i Mia 
. ` I or 
(i) The bastion host hardware platform CXCCUles 
its Operating system, making it a trusted system, secur Version o 
(ii) Only the Services that the network administr 
essential are installed on the bastion host. These include asa tor Consider 
such as Telnet, DNS, FTP, SMTP, and user authentication i lication 
| (iii) The bastion host May require additional authenticat; 
user is allowed access to the proxy Services, In addition each is before 
may require its own authentication bef Ore granting user access "y tevis 
(iv) Each Proxy is configured to Support only a Subset of the sta 
application’s command set. x ka 
(V) Each Proxy is confi 


igured to allow access Only to spec; 
) cor pecific h 
Systems. This means that the limited command/feature set may be applied a 
tected network, 


(vii) Each Proxy module isa very small 
designed for network security, 


Check such modules for security flaws, 


(ix) A proxy ge 
its initial configuration fi 
Trojan horse sniffers or o 


nerally performs no disk acc 
le. This makes it difficult fo 
ther dangerous files on the b 


(x) Each proxy runs as a nonprivileged user 
On the bastion host. 


ess other than to read 


r an intruder to install 
astion host. 

ina private and secured 
directory ' 


UN 


| 
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tn yarious firewall configurations, 
Explain Or 
0.32, 


, i suration, What are the 
; types of firewalls configuration 
e diferent, Pion figuration ? (R.G P.V, June 2007) 
the 


hows three common firewall configurations, 
4.12 sho 


z (plain th 
ferences among 
Ü) : 

| "a od Host Firewall System (Single-homed Bastion Host) - 
(i) oS tirei in fig. 4.12 (a). In this lii ion mm- 
. configuration 1$ Sno 
This con 


stems — a packet filtering router and a bastion host, Typically, 
sg of two SYS 
onsists 0 


p t = 
uter is configured so tha 
the rO 


(a) For traffic from the Internet, only IP packets designed for 
a) F 


bastion host arc allowed in. 
the 


(b) For traffic from the internal network, only IP packets from 
he bastion host are allowed out. 
the 


icati i This 
> thentication and proxy functions. 
ion host performs au t : ! 
ue panne greater security than simply a packet-filtcring router or an 
conp | gateway alone, for two reasons. First this configuration 
oh nee 4 and application-level filtering, la pa 
i | i i er mu 
as i flexibility in defining security scheme. Second, an intru 
conside 


ity of the internal 
tems before the security o 
trate two separate sys 
enerally pene ` 
quik is compromised. 


eT age . Ena 
This configuration also affords flexibility in r E anni 
S i include a public 
twork may inc | ' 

: ample, the internal ne ' seh abet 
sl aes a web server, for which a high level agile hs aie zs 
ia pee the router can be configured to ae le cae ener 
> | ti a šerver and the Internet. If the packet fi paste Saeed ane cai 
"am a: d, traffic could flow directly through the rou 
compromised, 4 
and other hosts on the private networ 


filtering 
Router 


Private 
Server Network Hosts 


all System (Single-homed Bastion Host) 
t Firew 


P- C 


(a) Screened Hos 
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screened subnet, but traffic across the screened subnet is 
on rguration has following advantages — 
onll 


rocke This 5 There are now three levels of defense to thwart intruders. 

(b) The outsi 

Internet. There : : 

(c) similarly. the inside router advertises only the existence of 
Cc > 


ubnet to the internal network. Therefore, the systems on the 
the screened reani) construct direct routes to the Internet. 
twor 


de router advertises only the existence of the screened 


fore, the internal network is invisible to the Internet. 
filtering 


Router 


gpbnet 10 ue 


y is screened host firewall, dual-homed bastion different from 


33. Hor ll, single homed bastion ? (R.GP.V., June 2014) 


screened host firewa 
Ans. Refer to Q.32. 

0.34. Write short note on personal firewalls. | 

Ans. Personal firewalls are very much needed for standalone machines 

d to the Internet through various means like dial-ups, cable modems or 

pai nections. Having a separate firewall computer to protect a single 
pes oe system can be too expensive and complex. A personal firewall is an 
eee program running ona specific computer system. The firewall screens 
aes aah and outgoing traffic for the computer system and blocks the 
unwanted traffic from entering or leaving the system. The user could confi gure 
the personal firewall to accept traffic only from certain sites or not from sie ; 
sites and to generate logs of the past activities. The personal firewall can also be i 
configured to function as a virus scanner so that any incoming data to the system 
will be first scanned for any potential virus infection. 


(8) Screened Host PF. irewall System (Dual 


(c) Screened-subnet Firewall System 


Fig. 4.12 Firewall Configurations 


(tii) Screened Subnet Firewall System — 
12 (c). This is the most secure confi 
[temel . Ing routers are used, one b 
oglasa he other between the bastion host and the internal network, This 
basins Creates an isolated subnetwork, which may consist of simply the 
foetal ut may also include one or more information Servers and modems 

al-In capability, Typically, both the Internet and the internal n on 


Ctwork have 
a> 


in fig. 4, 
two pac 


This Configuration is shown 
sR In this configuration, 
ctween the bastion host and the 


0.35. Explain intrusion detection system (IDS). (R.G P.V., June 2011) 


Or 
Write a short note on intrusion detection. (R.GPV., June 2015) 
; Or 
.GP.V, 2 
Write a short note on IDS. à (GGF eee) 
i r 


Write a short note on intrusion detection system. (R-GP.V., May 2019) 


Ans. An intrusion detection sy 


: I att om 
unauthorized intrusions into C P 
t new, ! 


„stem (IDS) is a system used to detect 
uter systems and networks. Intrusion 
: logy is no t has been used for generations to defend 
detection as a techno D emperors, and nobles who had wealth used it in 
valuable resources. .. built castles and palaces on tops of mountains 
rather an interestinë way. ation towers to provide them with a clear overview 
and sharp cliffs with quam ey could detect any attempted intrusion ahead of 
of the lands below W" : i `: aQ 
time to defend themselves: 
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Over the years, intrusion detection has b 
companies in a number of ways including ere 
valuable resources with sentry boxes to w 
premises of the resource. Individuals have 
fences, and closed circuit telev 
detect intrusions. 


cen used b indiv; 
cling ways and f Vidua 
atch the acti “n 
used dogs, 
ision and other watchful gadgets ia Lett 
ab 
As technology has developed, a new industry based ON intrus; 
has sprung up. Security firms are cropping up everywhere to a On detec 
and property secunty-to be a Watchful eye so that the iad š 
or take a vacation in peace. These new systems have 
changes, compare user actions against known attack 
Predict changes in activities that indicate and can le 


0.36. Discuss the concept of encrypted tunnels, 
Or 


each other. All information be fc, ad G 
ch other. Inlormation between i i 
mas a, N them is cryptographically protected. The 
The mechanics ofthe tunnel, from the 
IP point of view, is that when A sends a 
packet to C, A will launch it with an IP 
header that has source = A, distination = 
C. When G, sends it across the tunnel, it 
Puts it into another envelope i.e., it adds an . i 
additional IP header, treating the inner Fig. 4.13 Connecting a Private 
header as data. The outer IP header will Network over a Public Internet 
contain source = G, and destination = G,. And all the Contents will be encrypted 
and integrity protected, so it is safe to traverse the Internet. G p G; and G. use 
the Internet like some sort of insecure wire. You might want Sour users to be 
able to access the corporate network from across the Internet as well. Suppose 


et in any location, To 
configuration is often 


B is some sont of workstation that can attach to the Intern 
do this, B would create a tunnel with one of the Gs. This 
referred to as VPN (Virtual Private Network). 
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d explain classes of intruders. (R.GP.V., June 2012) 
nd ex] 


37. specify 8 


es of intruders are as follows — | 
ú der — An individual who does not have the authority to 
ae into asystem to access a legitimate user’s account. 


ys. Three i 
à) Masquera 


ut pene : agt 
e computer, ” e r — A legitimate user who accesses some applications, 
y Misfeasor — 
(ii) ! 


hich such access is not authorized, or who has access to 
; me ac resources but misuses his/her privileges. 
sane User — A user who seizes supervisory : 
his control to avoid auditing and access controls or to 


Al 


urce 

or resourc 

s applications, 

(iii) Clande 

ies t 

and tries 

system l l 

es audit collection. 
su 


i lasses of intruders. What is honey 
9.58. ene sani (R.GP.V., June 2017) 


hree Classes of Intruders — Refer to Q.37. 


da 
50 


pot? 
Ans. T 
Honey Pot — Refer to Q.12. 
: ic princi intrusion detection system. 
0.39. Write the basic principle of (R.GP.V,, June 2006) 
. Or pond 
š ovided by an intrusion detection. 
Explain benefits that can be pr (R.GP.V, June 2008, Dec. 2008) 
Or intrusion detection 
vided by an intrusio 
What are three benefits that can be provi (R.GP.V, June 2012) 
system ? ; k either before or after its 
š er of an attack e1 i 
Ans. Intrusion detection is learning iderations, including 
neess, This interest is motivated by a number of considerati . 
llowing benefits — . z ' 
wa a j If an intrusion is detected quickly enough, “u nae 
a ne 
S d ejected from the system before any eepe yi er a ama: 
identified and eje if the detection is not sufficiently timely to p 
n etka ne the intrusion is ee "g the amount of 
i on L 
5 at A jop quickly that recovery can be sc leve I f 
damage and the i tion enables the collection of information about 
` (ü) Intrusion ie used to strengthen the intrusion prevention facility. 
intrusion techniques that ca intrusion detection system can serve as a deterrent, 
(iii) An effective intrusio 


. t intrusions. N ; aa 
so acting to preven intruders, worms. Also write the basic Principle of 
virus, in 
0.40. Define 


(R.GRY, May 2018) 
intrusion detection system : 
Ans. Virus — Refer to Q.- 


Cas = <a ~ “oe 
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B 


Intruders — One ofthe two most popular threat 
(the otheris viruses), generally referre bi 


dit record ? What are its types ? Describe the fields 
.. ran aud 
dtoasa hacker or curity iS the: j what is 4 : . ; 
who gains, or attempts to gain, unauthorized dees. Cracke,. u int "record: `- the fundamental tool for intrusion detection. Some 
to gain unauthorized privileges on that system, į I put "diy fan f udit record Is t be maintained as input to an intrusion 

A i m, is known as in T Sy | ! ys. Ana ivity by users mus 

so refer to Q.37, S ntrude, “ A ofongoin acti 
Worms — Refer 4 | : ` 
hihaan o Q.5. f rection syst es of audit records — 
asic Principle of Intrusion Detection System Ree de there are WO typ 
~ Refer 
0.41, Why would leased line asab . Q3 


: e 
a) Nativ 


š ivity. The 
llects information on user activity. 

‘ng software that co 

accounting 


ae iaai itional collection software is 
(R.GPy include of using this information 1s that no se tee ene ie 
S. Some circumstances When VPN is Not th ° June 201) advantage disadvantage is that the native audit reco! y 
n a mission critical situation when you have t a. best alterati, peded. TPS ation or may not contain it in a convenient form. 
a / a R; info . “1: 
cm a ' u all a ss This cannot be achieved Presently by ka eae i needed in Detection-specific Audit Records — A collection facility can be 
© achieved using leased lines Th M AP connecr (ii) De ü : ini ly that information 
Š Second case is w ction enerates audit records containing only 
sa using only local calls to access the remote a tin n the remot implemented _ detection system. One advantage of such an approach 
» It 1s also more cost efficient to use dial-in or leased lines er T In this required by Lae made vendor independent and ported to a variety of systems. 
ution ig that it cou ; i ing, in effect, two 
.42. B ) s that d in having, in effect, 
Q. ‘hat are the two qpproaches to Intrusion detection ? 5 disadvantage is the extra overhead involve g 
Ans. Following two approach ; 
detection — 


accounting packages running on a machine. 


Each audit record contains the following fields — 
Detection — jt 


bs i of users. 
gitimate users o user but might also be a process acting on behalf of users or groups 
Allactivity arises through commands issued by subjects. 


tion — 


(ii) Action — Operation performed by the subject on or with an object. 
» Independent of user, for the fr 


For example, login, read, perform I/O, execute. 


' (iii) Object — Receptors of actions. Examples include xw; — 
messages, records, terminals, printers and user or program create : 
(i) Rule-Based Detection — ]t involves an attempt to define a set of 
Tules that 


can be used to decide that a given behaviour is that of an intruder. 
(a) Anomaly Detection — 


Rules are developed to detect 
m previous usage patterns. » = 


(b) Penetration Identification — An expert system approach 
for suspicious behaviour. 


(iv) Exception Condition — Denotes whet if any, exception 
condition is raised on return. 


(v) Resource-usage — A list of quantitative elements in which each 
y =, 
deviation fro 


urce. 
element gives the amount used of some reso 


(vi) Time-stamp — Unique time-and-date stamp identifying when 
. (v) Time- 
the action took place. Ë 


0.44, Explain rule-based intrusion detection method. 


i tect intrusion by observing events in the 

Ans. Rule-based begs mre lead to a decision regarding whether a 

system and applying? is or is not suspicious. In very general terms, we can 

given pattern of ` as focusing on either anomaly detection or 

characterize all ain although there is some overlap in these approaches. 
Penetration identifica Hake Ba 5 `" ' 


that searches ne 
In terms of the types of attackers discussed earlier, statistica} anomaly 
detection is effective against masqueraders, who are unlikely to mimic the 
iour patterns of the accounts they appropriate, On the other hand, such 
niques may be unable to deal with misfeasors. For Such attacks, rule-based 
approaches may be able to recognize events and sequences th 
reveal penetration, In Practice, a system may exhibit a combi 
approaches to be effective against a broad range of attacks, 


behav 
tech 


at, in context, 
nation of bofh 


(i) Subject —Initiators of actions. A subject is typically a terminal 


tl 
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hat ii p ee ee a ee are: Security 

Rule-based anomaly 
to statistical anomaly det 
analyzed to identify us 
describes those patterns 


detection is simil 


arin lems of; 
ection. With this i 


S appr 

0 
approach, histori al ; 
to Ecnerate au ia 


l h 
{ . Ce ü 
kere: - Rules May represent Past behay matically ruta 
vices Privileges, time slots, terminals and 80 on. Cy T Patter, les t 
: ed and each transaction is Matched Against q t a behavig maa 
i . de any historically observed pattem of be} ion Re dete wi 
: : ““tour. Ruta ine: 
: ection does not require knowledge of Security vulnerabij e Š lat 
or this approach to be effective, a large da ase of i ities with; ey 
es wi ys 
Rule-based penetration identification takes dei h 
intrusion detection. one based Ç de 


entifying k EY feat 

n : ow u 

' vould exploit known Weaknesse W ‘rations 

that identify Suspicious behaviour even when t] ka Rules can al n a 

x en the behav; 

of establi aviour is 

kee qas patterns of usage Typically the Tules used in ty the boun 

“waman € machine and Operating system. Also, such rul Ese systems an 
Xperts” rather than by means of an automated analysj S are CNeratey 

1e Normal procedure is to Interview system d ysis ofa 
analysts to coll ü 


ect a suite of kno 


ministrators nd s 
WN penetration s ecurit 
thre be: cenarios and 
Nreaten the Security of the target system. Thus, the Strength key vents tha 
depends on the skill of those in i š SEPT OF 


y need to interact 
Owing — 


å » including the rationale 
Scenarios wil] be used to illustrate the requirements, 

(ii) A common intrusion 
data forn 


language specification, which describes 
hats that satisfy the require 


ments. 


Gii) A framework document, which identifies existing Protocols best 
used for communication between intrusion detection Systems and describes 


‘how the devised data formats relate to them. 
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‘stical anomaly detection method for intrusion detection. 
tisti 


Mb Explain sta ly detection techniques fall into two broad Categories 
alanoma 5 file-based systems. Threshold detection involves 
jon and akae ofa specific event type over an interval of 
ber T: what is considered a reasonable number that one 
occur, then intrusion is assumed. 


15. statistic 

cl 
nreshold dete 
ating the num 


1 
ont the count surp 
w 


nich expect to lysis, by itself, is a crude and ineffective detector of even 
Thats a ted attacks. Both the threshold and the time interval must 

moderately Sige of the variability across users, such thresholds are 

be ae either a lot of false positives or a lot of false negatives. 

likely Bomy threshold detectors may be useful in conjunction with more 
Jever, 

Y pisticated techniques. 


file-based anomaly detection focuses on characterizing the past 

ioe of individual users or related groups of users and then detecting 
ae deviations. A profile may consist of a set of parameters, so that 
sign 


deviation on just a single parameter may not be sufficient in itself to signal an 
ev! 
alert. 


The foundation of this approach is an analysis of audit records. The = 
records provide input to the intrusion detection function in two “es ari 
the designer must decide on a number of quantitative metrics that ie 
to measure user behaviour. An analysis of audit records over a period o P: 
can be used to determine the activity profile of the average user. Thus, a 
audit records serve to define typical behaviour. Second, current audit a 
are the input used to detect intrusion. That is, the intrusion asi nies = 
analyzes incoming audit records to determine deviation from averag ; 


Examples of metrics that are useful for profile-based intrusion detection 
are the following — 


sai at may be incremented but 
(i) Counter — A nonnegative s ae a count of 

not decremented until it is reset by pans period of time. Examples include 

certain event types is kept over a sae ate an hour, the number of times a 

the number of logins by a single acne le user session and the number of 

given command is executed during a Sing 

Password failures during a qe tive integer that may be incremented or 
(ii) Gauge — A = s used to measure the current value of some 

ecremented. Typically, a ae ber of logical connections assigned to a user 
entity. Examples include ae outgoing messages queued for a user process, 
application and the number The length of time between two related events. 
(iii) a ime between successive logins to an account, 
An example is the len i 


+< 
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a 


(iv) Resource Utilization — 
a specified period. Examples includ 
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user session and total time consume 


— SERVICES SECURITY FOR E-MAIL 
d by a program execution Quri, 8 g-MAIL Sal E-MAILS, PRIVACY AUTHENTICATION 
The main advantage of the use of Statistica] Profiles ; A ACKS T 
knowledge of Security flaws is not required. Th 
is “normal behaviour” and 


a 
l e detector TOpram | ta Drio 
ks for deviations. Thea ig 


ETTY PRIVACY (PGP) 
TT SOURCE MESSAGE, PRETTY GOOD (PGP), 
0 


S-MIME 
thenloo 


9n system dependent chara 


Ths Wh. | . °. e S ?”? 
sË achi al ; inv i il. Why e-mail security is important; 
Cteristics and vulnerabilities. Thus r NO bas | p. Define e-mail security In detail. Why e ty 
readily portable among a variety of systems. > 1 shou be 9.5? 
0.47. What metrices 


are useful for pr 


(R.GP.V., June 2016) 
ofile based intrusi 


What are benefits that ca 


, ity defines multiple methods for keeping sensitive 
on d Ans. E-mail atl cpiiestion and accounts secure against unauthorized 
n be provided by an intrusion detection, Kass information in e-mail aes E-mail is a popular medium for the spread of 
Slem » compr ° nd : ice 
(R.G P V, Dec a; access, loss, ‘a ai phisis attacks, using deceptive messages H e 
Ans. Refer to Q.46 and Q.39. ) malware, oy dedes sensitive information, open eos orc ans 
i ecipients to Cl victim’s device. E-mail is also a co 
0.48. Explain the term base-rate fallacy, Explain Statistical anom ypatinhs that install sonny on a gain a foothold in an enterprise network 
detection method for intrusion detection, (R.GPY, June ah entry vector for attackers looking 
h ) 
Ans. Base-rate Fallacy — To be of practical use, an intry 
System should detect a substanti 


i ity i th 
h valuable company data. E-mail security is necessary for bo 
breac 
anne and business email accounts. 


i i importance of e-mail 
Importance of E-mail Security — There are several imp 
m ntage of actual I 
> the system provides a false sense of security. On the security — 
other hand, if the system frequ 


j 
y , 

L Avoid Business Risks = These da’ S there 1S SO much at stake so I 

no Bs send unencrypted e-mails. Without encr yption any strar 1ger can 


i ars il. Your competitors i 
: i ich is contained in your mail. Y. 
have access to the information ae ou. Therefore to avoid business as well as 
f th f the probabilities involved AE AEE te A you should go in for e-mail encryption. 
91 the nature of the probabilities involved, it is L: isks it is advisable 
er kinds of risks it i 

very difficult to meet the standard of high rate of detections with alow’rate of | “her! 
false alarms. In general, if the actual numbers of intrusions is low compared to 
the number of lagitimat 


ñ ion — E-mail encryption 
(ii) Protection of Confidential f enek number, banking 
| ; ion such asaur Creci care Dumon 
ial information suc ot encrypted 
jea Gopas number etc. In case your mail is n Typ 
account number, s 


i tion for their 
can make use of your personal ` pes sent can be 
some wrong elements u imagine that the messages which y ward whick 
ulterior motives. Can 30 it ? Even the username as well as pass 
€ fallacy, read or even altered in transit ? 
Statistical Anomaly Detection Method — Refer to Q.46, 


Á i e on such 
l ithout much difficulty. So to avoid leakage o 
ou type can be stolen w ion is important. 
Ila nai e-mail encryption 


Message Replay Possibilities — You already rs ppa 
... ify Me. is . ich is 
"< (iii) To MeT be modified, but then there is one Pps `. Red 
the message you sent ca es yous end. Messages can be saved, x a th 
possible with the messag set an authentic message first, and then receive fake 
re-sent later on, One can official later on. The recipient cannot tell whether 
messages which appear = has been sent to him is altered. In case the message 
ch ha ae eS 
the e-mail aes ee not even know that it had ever been sent: 
i ted they 
was just dele 
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0.49, Differentiate between the following — 


(i) Statistical anomaly detection and rule based intrusion detection 
š ion 
(Gi) Rule-based anomaly detection and rule based penetratio 
identification. i 


(R.GP.V.,, Dec. 2011) 
Ans. (i) Refer to Q.46 and Q.44. . 


(ii) Refer to Q.44. 
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(iv) Avoidance of Identity Theft — 
username as well as password w 
or she can read the e-mails which 
on your behalf. This is referre 
go in for e-mail encryption. 


If any person pe 


hich you use to get to your . ho dor Yo 
you send and also send Së nthe L 
d to as identity theft and can be eet sss 
\deq IDN 
(v) Repudiation of Messages Sent — Owing to the fact that; . 
to forge regular e-mail Messages, you can never really prove that ee is Casy 
person has sent you a particular message, This connotes that even ie, Nd sy 
actually sent you a particular Message, ending it, This ha Person 
implications as regards to makin Sse 


en, 
messages, These 
SS to the back, 
your disadvan 
ted the Message, 


backups can be Present for y 
files can read your message: 


S and use the information to 
even while you are thinking 


that you have dele 
0.51. Write a short note on e-mail 
Ans. Refer to Q.50. 


age 


security. (R.GEBV, May 2019) 


Q.52. What security protocols are used to protect e-mail ? 


(R.GEBV., June 2011) 
Ans. The three main e-mail security protocols are privacy enhanced mail 
(PEM), Pretty good privacy (PGP), and secure MIME (S/MIME). 


G) PEM — The Privacy enhanced mail (PEM) is an e-mail secunty 


standard adopted by the Internet Architecture Board (IAB) to offer secure 
electronic mail over the Internet. I 


support key -management mechanisms using public-key certificates; Tar n 
modes, and associated identifiers; and paper and electronic format details z 
procedures for the key-management infrastructure to support a 
PEM provides three privacy enhancement services — message integ i 


authentication and confidentiality. . - mi 
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i i ther secure mail protocol. 

ood privacy (PGP) is anot c ) l 

anes | mail security program, originally designed by Phil 
electr Sa 


(ii) P 


I il wi i i ity and 
ig a freeware p was invented to provide e-mail with privacy, integrity 
i mermant an on be used to create a secure e-mail message or to store 
In P 


nta 


to use, and free. PGP is based on the public-key method. 
me t just for mail. It performs encryption and integrity protection 
PGP is not J 


il is not treated any differently from ordinary files. Some wishing 
on files. Mai! Is il message could first transform the file to be mailed using 
to send a secure ee transformed file using a traditional mailer. Similarly, if 
PGP. and then ma a PGP-encrypted mail message, one could treat the received 
one were to pin nd feed it to PGP to process. This is a bit convenient. So 
po oe with modifications for a number of common mail 
pai apa . people to integrate PGP into their mail systems. 

systems, 


(iii) S/MIME — Another security service designed for pre a 
is Secure/Multipurpose Internet Mail Extension (S/MIME). nd te hi 
s i enhancement to the MIME Internet e-mail -o a >a 
security I Brai 

. Although both 
eo sie cee likely that S/MIME will emerge as the 
an IETF standards track, it appears y the eet tern 
industry standard for commercial and organizational use, armana s 
the choice for personal e-mail security for many haa PER 
new content types to include security services tot eM Er e HER 
types include the parameter “application/pkcs7-mime”,, in 
public key cryptography specification. pee 
H ity services for electronic 
.53. Describe the kind of security se 
Most electronic mail systems do not provide most of nee pao 
Even "esa papaq specifically for security often only provide for so 
kasaru but the intended recipient 
; bility to keep anyone bu 

(i) Privacy— The a 

ñu Pem ende “D — Reassurance to the recipient of the identity 
- (ii) Authentic 
sith sebalee «y — Reassurance to the recipient that the message has 
ii, tegrity — š I 

(iii) re s. e it was transmitted by the sender u 
not been altere diation — The ability of the recipient to Prove toa 

(iv) peoi i really did send the message. This feature is also 
third party that the sen arty authentication. The term non-repudiation means 
sometimes called we ñ ter deny sending the message:;: 
that the sender canno! 
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~) Proof of Submission — Ve 
message was handed to the mail delive 


TY sys i š 

you just receive proof that vou sent something 1, i fe a tific ror 
particular date. but with electronic mail it is Possible to cular dre, Mai 
verify acceptance of the contents of a Particular Messape ave the Maj s W 
the message digest of the contents of the message, * Perhaps b int 

(vi) Proof of Delivery — Verification that the recip; Ë 
message Postal mail has a similar feature (return receipt k dih 
it only verifies that something w as delivered on a Particular due ed ag ` 
With electronic mail it Is possible to verifythe Contentsofa Ons I nien 

(vii) Message Flow C. onfidentiality — the 


(viii) Anonymity — 
can’t find out the identity of the sender. 


(ix) Containment — The ability of th 
security levels of information fr, 'y € network to kee 


om leaking out of a Yost 


š Particular region. 

w (x) Audit P The ability of the network to record events that might 
€ some security relevance such as that Alic 
i e sent a 

AE sss message to Bob on a 


(xi) Accounting ~The 


ability of the mail System to maintaij 
(xt a ntain s 
usage statistics, In addition to provi a 


ding clues for system resource managemen, 


(xii) Self Destruct — It is an option allowing a sender to specify that 
a message should be destroyed after delivery to the recipient. This allows Alice 
to send a message to Bob that Bob cannot forward or store. The mail system 
will decrypt and display the message, but then delete it. This can be implemented 
by marking the message as a self destruct message, and having the mail program 
at the destination cooperate by deleting the message immediately after 
displaying it. f 


(xiii) Message Sequence Integrity — Reassurance that an entire 


sequence of messages arrived in the order transmitted, without any loss. 


0.54. Draw generic transmission diagram in PGP and explain in brief. 
g 

(R.GP.V, June 2012) 

shows the generic transmission diagram in PGP, On 

Ssary, a Signature is gentrated using a hash codé of the 


Ans, Fig. 4.14 
transmission, if nece: 
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i i if present, is 
laintext, as well as signature if p 
a Tals is needed, the block is encrypted and 
pi encrypted symmetric encryption key. At las 
rted to radix-64 format. ; 


e plaint 

on Next, if con 

essed. blic- 
ont" ed with the pu 


PPri block is conve 
the 


Signature N Y | Generate Signature 
e 


i F 
Needed ? f i F < Signature|| 


Compress 
F —Z(F) 


Y Encrypt Key, F 
° 7 F — Exu,|KsIlIEK,IF] 
Convert to Radix 64 
F — R64[F] 


Fig. 4.14 Generic Transmission Diagram 


i i i eneration in PGP. 
0.55. Explain the steps involved in key g oe ba mb 
Ans. The steps involved in key generation in PGP are as en 
(i) The sender generates a message. For this message, a 
28-bit number is used as a session key. f f 
™ pa The encryption of the message Is done using CAST-128 with 
= poea session key is encrypted with RSA, using the recipient’s 
i i d to the message. 
a T so oe RSA with its private key to decrypt and recover 
iv) The 
the session key. 
(v) The session 


signature before applying compression ? 
0.56. Why does PGP generate a sig ere aap 


enerated before compression for two reasons — 
B! 


key is used to decrypt the message. 


Ans, The signature is to sign an uncompressed message. So that one can 
(i) Itis pieton message together with the signature for future 
store only the on compressed document, then it would be necessary 
verification. If one cli d version of the message for later verification or * 
either to store acom 


erification is required, t 
t essage when.¥ ritica he te tes 
recompress the m 


lt 
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(ii) Even when one were w 
recompressed message for verific 
a problem. The algorithm is not deterministic. Vario 
algorithm get distinct tradeoffs in running Speed versy 


Ng 

Sa SUS compress; of 
as a result, generate distinct compressed forms. P ession nti tt 
compression algorithms are 


illing to &Nerate 
ation, PGP's com 


Privacy in e-mails 
Signed messages. Sie 


ant to send a message to Bob, which Bob Needs 


ure that Bob Will not be 


g at, only the digital Signature is encoded using 
Tadix-64. Consequently, the recipients without i 


view the message, although they cannot verify 


(i) Non-repudiation of 


recipient is claimed to have achieved by the 
use of signed receipt. 


(ii) Multi-recipient message support in S/MIME is not efficient 
enough. 


(iii) Partial content signature is not supported by S/MIME. 
(iv) E-mail header protection provided by S/MIME is not sufficient. 


(v) Possible use of bogus name for sender is not prevented in S 
ue to the fact that class-1 certificates do not contain validated names, 
-mail clients allow any name for sender while Sending an e-mail message: 


MIME, d 


ande 


(vi) E-mail storage in encrypted form with the Original encryption 


key is a design flaw of all current S/MIME client implementations, 


P 


PSS 
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J; V === SION 6 
W OF IPSEC, IP & IP VER 
carry — OVER PSULATION SECURITY PAYLOAD 


1P SEE TICATION, EN 


ANGE (IKE) 
| aut HENT SP), INTERNET KEY EXCHANGE ( 
| 


| te a short note on IP security. 


0.59. Wri (R.GP.V., Dec. 2004, May/June 2006, 2007) 
Or 

i .GP.V., Dec. 2005) 

say on IP security. (R.GP. 
Write an es Or a 
„ou mean by IP security ? (R.GP.V., June 

What do yo Or 

° 'rity. (R.GP.V., Dec. 2006, June 2015) 
Explain IP security. à; 


i 2016 
Discuss IP security in detail. (R.GP.V., June ) 


ins. In 1994, the Internet Architecture Board (IAB) issued a report entitled 
Ans. > 


sensus 
ity in Internet Architecture. The report stated the general con 
Security 


. Stas a or 
the Internet needs more and better security, and it identified re -a a 
aki i l e the need to secure the netw 
i sms. Among these wer _ 
er ized monitoring and control of network traffic 
i ture from unauthorized mo t vork : 
+ Spa to secure end-user-to-end-user traffic using authentication an 
an I 
cryption mechanisms. f F 
i "Theos concerns are fully justified. As confirmation, the ie pap = a 
from the Computer Emergency Response Team yaa eh s i ae a 
reported security incidents. The more severe types of en a oe 
in which intruders create packets with false IP addresses an ih rh PP mari 
that use authentication based on IP; and various ig cede aie Ppi haem 
packet sniffing, in which attackers read transmitted information, 
information and database contents. a f 
In response to these issues, the IAB included authentication Par seso et 
as secs. security features in the next-generation IP, wass ue ee x a 
w rity capabilities were designed to be usable t t 
pep ore future IPv6. It means that vendors can begin offering 
eee va es Sad many vendors do now have some IPSec capability in 
ese features now, a 
their products. 


0.60. What are the various applications of IPSec ? 


ili icati LAN 
¿des the capability of secure communication across a i 
Arnis: IPSec ae WANS, and across the Internet. Following are the 
across private an 
Samples oF is Hes" Over the Internet — An end user whose 
8 re Remote Access Over the Inte. 
G) ouvir IP security protocols can make a local call to an Internet 
system is equip 


A 
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service provider (ISP 


) and gain Secure access t 
reduces the cost of to 


ll charges for trav 
(ii) Secure Branch Office Connectiy 


(R.GP. V, D 
Te given as follows — 
mplemented in a firewall or To 
lied to all traffic Crossing the Perimeter. 
(ii) IPSec in a firewall is resistant to bypass if all traffic from th 
( nd firewall is the only means of entrance from the Interne 
Into the Organization. 

(ili) IPSec js below the transport layer (TCP, UDP) an 
transparent to applications. There iS NO need to change software 
Server system when IPSec is im Irewall or router. Even if 
layer software, including 


uter, it pr Ovides 


(v) IPSec can provide security for individual users if needed. This 


orkers and for setting up a secure virtual sub-network 
n for sensitive applications. 


IP security documents. 


Ans. IPSec is being developed by the Internet En 
(IETF) IPSec Working Group. 


finished in writin 
complete, 


IPSec specificat 
architecture we hav 


gineering Task Force 
The full set of specifications for IPSec is nol 
g but they are nearing completion and the basic RFC’s are 


ion has become quite complex. To get a feel for the overall 
€ to through an insight into the following — 


(i) IPSec documents (ii) IPSec services (iii) Security associations. 


~~ 


: w 
ategories aS (sho 
c 
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ification consists of numerous 
= The eee 2408. 
cuments aie of these are RFCs 2401, 2402, 2406 and 
c imp ; . 
„The moso overview of security architecture. | mee 
RFC oun iption of packet authentication extension to IPv4 an a 
: = Descrip : i v6. 
» RFC 2402 — Des ription of a packet encryption extension to IPv4 and 
406 — Desc 
.RFC2 


bilities. 
ae key management capa 
~ Spetification ot iti e been 
“RFC 2408 a four RFC’s a number of Ep sie sf en 
Lae S N Fratoeol Working Group and are divi 

e 
yblished by IP nin fig. 4.15) follows — 


Architecture 
All 
| Encryption f Authentication 


Algorithm Algorithm 


Key 
Management 


Fig. 4.15 IPSec Documents Overview 
ig. 4. 


Architecture — ity require- 
Covers the general PEA security req 

i itecture ` l 

ae reais mechanisms defining IPSec technology. 

ments, definitio 


— Covers the packet 
š ity Payload (ESP) 

š lating Security 

(ii) Encapsu 


ket encryption 
l issues related to the use of the ESP for pac Typ 

i 

format and genera 


i awas at and 
and optionally, hentication Header (AH) — Covers the ey form 
(iii) ue HA d to the use of AH for packet authentication. 
issues rele 
general issu 


tion Algorithm — A set of documents that describes how 
(iv) E Sma are used for ESP. 
ryp 


Çh | 
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(Gv) Authentication Algorithm — A set of docu 


how various authentication algorithms are used for AHa 
option of ESP. 


Ments that des.. 
nd for authenic Ë8 


(vi) Key Management — Documents that describe key man 
schemes. 


(vit) Domain of Interpretation (DOI) — Contai 
the other documents to relate to each other. These in 
approved encryption and authentication algorithms as 
parameiers such as key lifetime. 


NS Values Needed ç 
clude identifier s 


well as Operations 


0.63. Discuss about the IP and IP version 6, 


Ans. IP security, or IPsec, is a framework ofo 
the Internet Engineerin 


© Data C. onfidentiality—The IPsec se 
sending them across a network. 
(ti) Data Integrity — The IPsec receiver can authenticate packets sent 


by the IPsec sender to ensure that the data has not been altered during 
transmission, 


nder can encrypt packets before 


(iii) Data Origin Authenticatio 


the source of the IPsec packets sent, This 
service, 


n— The IPsec receiver can authenticate 
service depends upon the data integrity 


(iv) Antireplay ~ The IPsec receiver can detect and reject replayed 
packets, 


With IPsec, data can be sent across a 
modification, or spoofing. IPsec function 
however, Site-to-site t 


public network without observation, 
ality is similar in both IPv6 and IPv4; 
unnel mode only is supported in IPv6, 

implemented using the AH authentication header and 
der. The authentication header provides integrity and 
Arce, It also provides optional prote 


In IPvG, IPsec f 
the ESp extension hea 
authentication Of the vou 


Clion against replayed 
packets, The authentication header Protects the integrity of most of the IP 
header fields, and authenticates the source through a signature-based algorithm. 
The BSp 


header provides confidentiality, authentication of q 
connectionless integrity of th 
confidentiality, 


le source, 
c inner packet, antireplay, and limited traffic flow 


Ae 
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Z, June 2012) 

ovided by IPSec ? (R.GP. de 
pega’ ices at the IP layer by enabling a sy: ` 

poaa the algorithms to use ea E 

i ide 

tographic keys required to pen antes 

roosts to provide ee ss 

PSec tte d by the header of the protocol „Al an 

t proteo s Tumi encryption/authentication p 


bi ing Security 
, and sas ia wa for that protocol, Encapsulating 
ý ato 
by the form 


SP). The services are as follows — 
sign? A ESP). 
v Access control f 
(ii) Connectionless integrity 
igi thentication 
iii) Data origin au 
=i Rejection of replayed packets (a fo 
) Confidentiality (encryption) E 

= Limited traffic flow confidentiality. 

VI 


4. What ser” 
° c provides 
ns- psor security Prov 
0 ut in place any 


des security serv 
protocols, d 


a j I 
services- 


rm of partial sequence inte rity) 


Gü) [Accesseontrol | Y| Vv | 
ee ee 
() [Confidentiality | | Vv —— 
ith and without the authentication option. Both AH and 
ESP, there are two cases — wi 


Services 
Table 4.2 IPSec | 
ESP (encryption) | ESP SS 
a 
(ii) | Connectionless 
authentication 7 
replayed packets 
(vi) | Limited traffic flow =-= 
fidentiality "u 
-a h hich services are provided by the AH and ESP protoco 
Table 4.2 shows w 
control, based on the distribution of sas niga’ keys 
a a at of wafic flows relative to these security protocols. 
and the managemen 


i jation ? 
0.65. What is security associat 


: ciation (SA) is a concept that appears in both the 
Ans. Security aes ntiality mechanisms for IP. An association is a one- 
authentication and confi w. sender and a receiver that affords security services 
way relationship ae en Ifa peer relationship is needed, for two way secure 
to the traffic carried city associations are required. Security services are 
exchange, wane the use of AH or ESP, but not both. 
afforded to an 


` 
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0.66. Explain encapsulating Security 


Payload (Esp 

Ans. The Encapsulating Security Payload Proto ) 
Services, as well as confidential; col provi 
confidentiality. As an 


Fig. 4.16 shows the format 
BA: at of an ESP packet, It Contains the 
(i) Security 


follo. 
Mowing 
association. 


Parameters Index (32 bits) — Identifie 

S a seo). 
(ii) Sequence Number (32 bits) A h 
value. This provides an anti ya 


-Teplay function, as di 


f (iv) Padding (0-255 bytes) ~ Th 
the plaintext for required length. 


©) Pad Length (8 bits) — 


immediately Preceding this field. 


Indicates the number of paq bytes 


— Identifies the type of data Contained in 


e first header in that Payload (for example 
Such as TCP). 


Bit: 0 


— 


“\iv INAI- : 

A “novy — SS 
Naawa SSI I IY aa SVL yy 
Wy NF ~~ Payload Data (Variable) 7 77 SN 
TEV eG e OL — A=. 52: <ë woe xv 

= x : S = = SV 5 
SY SI Sn 9 Ba BI A SA — AS, eS 5 iB 4 f x 

4-1 “NI Ae ` MZ = = 
WUA N ` TY ZN 
WI By A Padding (0.585 Bytes} = 

peta Asus 


- iF = Sf 
x Z NA SN 
SY ISNT OS = 


_ AD heat N NANIA — 
SNE ONION y vv 7-7] Pad Length EANTA 
= <s aY as 


Authentication Data (Variable) 


Confidentinlity 


— Coverage 
= Authentication Coverage — 


Fig. 4.16 IPSec ESP Format 
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eters identify an SA and what parameters characterize 
, ram 
| What pa 


rticular S. . I 
ee association is uniquely identified by three parameters — 


Security Protocol Identifier — This indicates whether the 
(i) ec 


. „isan AH or ESP security association. 
jation 
gss0e! 


E E i 
” ity Parameters Index (SPI) — A bit string is assigne 
ya sae significance only. The SPI is carried in AH and ESP 
tis SA n sete the receiving system to select the SA under which a received 
ders to € 
vet will be processed. 


(iii) IP Destination Address — Currently, only unicast addresses are 
d aie is the address of the destination endpoint of the SA, which may 

sie user system or a network system such as a firewall or router. 

be an 


Hence, in any IP packet ( an IPv4 datagram or an IPv6 packet ), the security 
scation a uniquely identified by the destination address in the IPv4 or IPv6 
mre and the SPI in the enclosed extension header (AH or ESP). 


A security association is normally defined by the following parameters — 


(i) AH Information — Authentication algorithm, keys, key lifetimes, 
and related parameters being used with AH (required for AH implementations). 


(ii) ESP Information — Encryption and authentication algorithm, 
keys, initialization values, key lifetimes, and related parameters being used 
with ESP (required for ESP implementations). 


(iii) Sequence Number Counter — A 32-bit value used to generate 
the sequence number field in AH or ESP headers (required for all 
` implementations ). 


(iv) Sequence Counter Overflow — A flag indicating whether 
overflow of the Sequence Number Counter should generate an auditable event 
and prevent further transmission of packets on this SA (required for all 
implementations ). | | 

(G) Anti-replay Window — Used to determine whether an inbound 
AH or ESP packet is a replay (required for all implementations). 

` :fotime of this Security Association — A time interval or byte 
(vi) "aqe o must be replaced with a new SA and new SPI or 
= oi ies an indication of which of these actions should occur (required 
erminated, p i 
for all implementations). | u 
(vii) Path MTU — Any observed path maximum transmission unit 


i size of a packet that can be transmitted without fragmentation) and 
G (required fòr all implementations). 
aging v 


Kx 
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(viii) IPSec Protocol Mode — Tunne 


for all implementations). i transport, T Wilde 
ar 


The key mechanism that is used t 
authentication and privacy mechanisms o 
Index. Hence, authentication and priv 
any specific key management mecha 


he Teg, , 

x distribute ke s is k. 

n 

xa ae Way of the Secu Pl 
: ve been Specified ; t ara 

nism, indepen r 


0.68. Give a iew 
68. overview of tr T 
f t ansport mode and tunnel ; 
mode 


R.G 
Or (R.Gp. k, 
IP sec can be used in two modes. Wh June 2015 


Ans. The two mod 
e 
tunnel mode — iia 


at are they ? (R 

“(RGEPp 
se su is 
Pported by AH and Esp are tra ie 201) 
(i) Transport Mode i = 
. is protocols. That i 
payload of an IP packet 

.F 

packet, allof which o du s 


mode typically used for end-to 


: ° trans š 
selected portions of the IP ls mode authenticates the IP payload and 


the entire pack AH or ESP fi 
et pl š lelds are ad 
packet with a ne ? us security fie added to the IP packet 


adha on networks behind 
ecure communications without implementing 


w generated by such hosts are tunneled through 
mode SAs set up by the IPSec software in the 
the boundary of the local network. 


cted pack 
external networks by tunne 


fi 
irewall or secure router at 


——— aN 


i rable 43 summ 


ESP with 
Authentication 
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de encrypts and optionally authenticates the entire inner 
gsr in tunne gei inner 1P header. AH in tunnel mode authenticates the 
i Í nd selected portions of the outer IP header. 


the transport and tunnel modes functionality. 
Mode Functionality 


arizes 
Mode and Transport 


qable 4.3 Tunnel 
Transport Mode SA Tunnel Mode SA 
Authenticates IP payload and Authenticates entire inner IP 


packet (inner header plus IP 
payload) plus selected portions 
of outer IP header and outer 
IPv6 extension headers. 
Encrypts inner IP packet. 


selected portions of IP header 
and IPv6 extension headers. 


Encrypts IP payload and any 
IPv6 extension headers 
following the ESP headers. 
Encrypts IP payload and any 
IPv6 extension headers 
following the ESP header. 
Authenticates IP payload but 
not IP header. 


Encrypts inner IP packet. 
Authenticates inner IP packet. 


0.69. What is the difference between transport mode and tunnel mode ? 
(R.GP.V.,, June 2012, 2017) 


Ans. Refer to Q.68. 


0.70. Discuss how ESP operates in transport and tunnel modes. 
(R.GP.V., June 2010) 


Ans. ESP Transport Mode — ESP transport mode is used to encrypt and 
optionally authenticate the data carried by IP (for example, a TCP segment), 
as shown in fig. 4.17. For this mode using IPv4, the ESP header is inserted 
into the IP packet immediately prior to the transport-layer header (for example, 
TCP, UDP, ICMP) and an ESP trailer (Padding, Pad Length, and Next Header 
fields) is placed after the IP packet. If authentication is selected, the ESP 
Authentication Data field is added after the ESP trailer. The entire transport- 
level segment plus the ESP trailer are encrypted. Authentication covers all of 
the ciphertext plus the ESP header. 

Transport mode operation may be summarized as follows — 


(i) At the source, the block of data consisting of the ESP trailer plus 
the entire transport-layer segment is encrypted and the plaintext of this block 
is replaced with its ciphertext to form the IP packet for transmission 
Authentication is added if this option is selected. ` 
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ig 7 Scope of ESP Encryption and A uthentication 
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rocess such a packet. Therefore, it is necessary to 
be unable t k with anew IP header that will contain sufficient 


ire bloc € 
p but not for traffic analysis. 


r mode is suitable for protecting connections between 
wreres a the ESP feature, the tunnel mode is useful in a configuration 
_ a | tat SUP firewall or other sort of security gateway that protects a trusted 
„giel ne qani networks. In this latter case, encryption occurs only 
„gao sa ternal host and the security gateway or between two security 
ne eva relieves hosts on the internal network of the processing burden 
gre and simplifies the key distribution task by reducing the number 
gecersptO" s, Further, it thwarts traffic analysis based on ultimate destination. 
ne a case in which an extemal host wishes to communicate with a 
pre internal network protected by a firewall, and in which ESP is 
plemented in the external host and the firewalls, The following steps are 
red for transfer of a transport-layer segment from the externa] host to the 
eternal host — a 

(i) The source prepares an inner IP packet with a destination address 

of the target internal host. This packet is prefixed by an ESP header, then the 

and ESP trailer are encrypted and authentication data may be added. 
The resulting block is encapsulated with a new IP header whose destination 
address is the firewall, this forms the outer IP packet. 

(ii) The outer packet is routed to the destination firewall. Each 
intermediate router needs to examine and process the outer IP header plus any 
outer IP extension headers but does not need to examine the ciphertext. 

(iii) The destination firewall examines and processes the outer IP 
header plus any outer IP extension headers. Then, on the basis of the SPI in the 
ESP header, the destination node decrypts the remainder of the packet to recover 
the plaintext inner IP packet. This packet is then transmitted in the internal 
network. 

(iv) The inner packet is routed through zero or more routers in the 

internal network to the destination host. 
0.71. How IPSec can be used to create VPN? (R.GP.V., Dec. 2007) 
Ans. Fig. 4.18 shows the way in which the IPSec ESP service can be 
used. It shows how tunnel mode operation can be used to set up a virtual 
Private network. In this example an organization has four private networks 
interconnected across the Internet. Hosts on the internal networks use the 
Internet for transport of data but do not interact with other Internet-based hosts. 
By terminating the tunnels at the security gateway to each internal network, 
the configuration allows the hosts to avoid implementing the security capability. 
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ect to the site you want to talk to and act as a man-in-the- 
d and then being able to make stock trades with 
SSL would make this impossible. 


conn 
ur asswor' 


Id hope that using 
Unclear on the Concept — Suppose the user is very 
talking to the server and the user session is 
After the user does his SSL-protected transaction, 


crypto8 credit card is cryptographically protected while on the wire, it is not 
x for the merchant to subsequently email a confirmation to the user, 
n 


yom r with all the details of the transaction, including the credit card number! 
clear, 


” (iii) Getting Impersonated by a S ubsequent User—The authorization 

cof HTTP lets a Web server signal the browser that it should prompt the 
ane a username and password and then the browser can calculate the proper 
tation information for the server. It is natural for the browser to store 
re user's name and password so that on subsequent visits to that same site, 
the browser will not need to prompt the user for name and password again. 
The browser can complete the authentication on the user’s behalf. If a user is 
surfing the Web from a public workstation and then walks away from the 
machine without logging out of the browser, the next user who walks up to 
that machine will be assumed to be the authenticated previous user. For this 
reason, it is important for cookies and authorization information to only be cached 
fora short time and certainly deleted when the user exits from the browser. 


Some browser vendors have thought up a really “helpful” feature that gives 
us the chills. When a server requests authorization information, causing the client 
machine to prompt the user for username and password, the browser asks the 
user Alice whether she would like the browser to remember this information so 
that she would not be bothered in the future. It means that every subsequent user 
will be automatically authorized as Alice on any site that Alice authenticated. If 
Alice realizes her horrible error after answering “Yes” and wants to take it back, 
there is no easy way. You might think that she can cause the prompt to appear 
and this time overwrite her real information with bogus information in order to 
erase the dangerous information from being stored for the next user. But the 
browser will never prompt again ! This is such a bad feature that is should certainly 
be removed from browsers. But until it is, servers should not use the authorization 
feature of HTTP and instead accomplish the same thing by presenting the user 
he server site and giving the client machine a cookie proving 
d. And the server should specify that the cookie be deleted 
browser. 
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(iv) Cross-site Scripting — One of the types of content that can be 
embedded in a Web page is active content ie, a program e.g., <SCRIPT> 


script commands</SCRIPT>. Types of active content are Java, Javascript and 


Active X. 
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between a browser and a server. 


When a browser encrypts information, the process is entirely hidden from 

a user. With SSL, a browser can encrypt a message SO the contents remain 

private. Moreover, the entire process is automated; the browser performs the 
encryption without requiring the user to act. f 

SSL is designed to make use of TCP to provide a reliable end-to-end 

secure service. SSL is not a single protocol but rather two layers of protocols, 
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Fig. 4.19 SSL Protocol Stack 
Two important SSL concepts are the SSL sessio 
which are defined in the specification as follows ~ 
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A session state is defined by the following parameters — 
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48-byte secret shared between the clientand server. 
Secret— 
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= the sequence number for this message 
seq_num = the higher-level protocol used to process this 
type = 
ssl compressed:tYP fragment. 


d.length = the length of the compressed fragment. 
mpresse . 
SSL cO 


t = the compressed fragment (if compression is not 
pressed.fragm ii used, the plaintext fragment). 
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ic encryption. 
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session may continue, but no new connections on 
e . as 
Type n the eae d. The second byte contains a code that indicates 
YY%UYUYPG 2 0 0: @ SSO OCIS ctio be esta ) 
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Q = š 
SRS SER S (c) bad_certificate (d) unsupported_certificate 
% BRS ets 1s or 20 Bytes (e) certificate_revoked (f) certificate_expired 
Fig. 4.21 SSL Record Format 


(g) certificate_unknown. 
0.80. Discuss various SSL-specific Protocols, 


Or 


(ii) Han dshake Protocol —This protocol allows the server and client 
ii 
What are the Protocols that SSL 


thenticate each other and to negotiate an encryption and MAC ae 
: to authen : b d to protect data sent in an SSL record. The 
compri; ? š hic keys to be used to p t | I 
prised of ; ea 1 9 eel is used before any application data is transmitted. 
í "GEV. . an 
Ans. The SSL-specific Protocols are discussed below — ec. 201) 
G) Chang 


The Handshake Protocol consists of a series of messages exchanged by 


lient and server. All of those have the format shown in fig. 4.22 (c). Each 
ien . 
was s has three fields — 


(a) Type (1 byte) — Indicates one of 10 messages. Table 4.4 
lists the defined message types. 


(b) Length (3 bytes) — The length of the message in bytes. 


T : 
Protocol is one of t he Change Cipher 


(c) Content (2 1 byte) — The parameters associated with this 
is used to convey SSL-relate4 message, these listed in table 4.4. 
s 


null _ f 
version, random, session id, cipher suite 
compression method. f ! 
version, random, session id, cipher suite, 
compression method. 

chain of X.509v3 certificates 

parameters, signature. 


hello_ request 


- client hello 
(a) Change Cipher Spec Protocol E 


(b) Alert Protocol 
1 byte 3bytes > 0 bytes 


2 2 l byte 
[tT tet | emen 


Opaque Content 
(c) Handshake Protocol 


9, 


server_hello 


` 


certificate 


(d) Other Upper- server_key_exchange 


layer Protocol 


type, authorities 
Ma (e.g. HTTP) certificate_request null 
Fig. 4.22 SSL Record Protocol Payload meee rify ease S, Signatur 
| : ificate _ meters, signature 
Each message in this protocol consists of two bytes [fig. 4.22 (b)]. The oak kes Seen has 
first byte takes the value warning (1) or fatal (2) to cony client_key_ 


€y the severity of the 


hash value , 
the connection, Other 


message. Ifthe level-is fatal, SSL-immediately terminates 


finished. Ë 
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Fig. 4.23 shows the initial exchange ne 


connection between client and server. The exch 
four phases — 


Phase 1. Establish Security Capabilities — Thi 
a logical connection and to establish the securi 
associated with it. The exchange is ini 
hello message. After sending the clie 


eded to establis 

ange can be Vieweg wi 

S ph k 
ase iS Used 4. 

: ty ©APabilities b nig. 

tiated by the cli 

nt-hell 


© message, the client. Sach 
server-hello message. t Waits org 
Phase 2. Server Authentication and Key Exchange —Thes 
this phase by sending its certificate, if it needs to be authen Pag 


contains one or a chain of X.509 certifi 
for any agreed on key exchan 


Las ange message may be sent if it js required an 
not required in two instances — First, the server has sent a certificate With | ti 
š i 
Diffie-Hellman parameters, or secondly RSA key exchange is to be iad fix 
Client Server : 
Phase 1 
Establish Security Capabilities I i 
Protocol Version, Session ID, Ci ass 


Compression 


pher Suite, 
Numbers 


Method, and Initial Random 
Phase 2 


Server may Send Certificate, Key Exchange, 
and Request Certificate. Server Signals end 
of Hello Message Phase. 


i Phase 3 


Client Sends Certificate if Requested. Client 
Sends Key Exchange. Client may Sénd 
Certificate Verification, 


` Phase 4 


- Change Cipher Suite and Finish . 
Handshake Protocol, 


Fig. 4.23 Handshake Protocol Action 
Phase 3. Client Authentication and Key Exchange — 


i Upon receipt of the 
~Server_done message, .the client should verify that the Server provided a valid: 


ste 

il is server has reque 
Pa 
ent, Which se 3 Villy 


n = 
: Next 1$ th 
The content 0 


reds the finis 
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. If 
hat the server_hello parameters are acceptable 
a one or more messages back to the server. 

S 


d a certificate, the client begins this phase "y 
If no suitable certificate is available, the clien 


; d 
š; ired an 
igcate! | the client send 
. fac ’ 


e. 
fthe >” ate messag: 

tific instead. 2: jy 8 
eae exchange message, which must be set in this phase. 
t_key_ 


se essage depends on the type of key exchange. 
fthe m 


e 
š This phase completes the setting up of a yma 
phase 4. ae a change_cipher_spec message and copie 
The che 


acer. 
no certi 


i I ‘ately 
i lient then immediate 
connection- her Spec into the current CipherSpec. The cli 


i ; d secrets. The 
ending CIP hed message under the new algorithms, keys, an 


ication processes 
verifies that the key exchange and authentication p 
hed message 
finishe 


ful. icati r 
i n is the SSL layer positioned between pe e sue 
I y i R.GPSV., 
nd A eai layer ? U 
a 


to 
lication layer of the sending computer prepares pera ie 
cae ing computer. The application layer data is pa es 
isa a peons encryption on the received data and also a see 
ee uses z known as SSL header. Thereafter SSL layer Z sess 
wasl Sa oh adds its own header and passes it on 7 t = n 
pe a T the data is sent in the form dar ne I vse 
u ta reaches the physica ; 
ee eee eed in the case of a 5 
happens sim it} ae 
ahe a res ae pissy A soe ae the plain o. 
= s an aqa ly the application layer data is TA f Š nied 
aah e cae it must be positioned below the " . 
a. nas aasan ose at all. In fact, it would lead to es : 
layer. That would serve no ae “us enke and phvaieelal ress 5 
a epen and become unreadable. Thus, the ad fe 
the computers lied “a be unknown. m why SSL layer positione 
ston ie application layer and the transport layer. 


. ? Explain the differences between SSL and TLS protocols. 
0.82. What is TLS Or 


ort layer security (TLS) ? Explain. 
What do you mean eee (R.GP.V., June 2011) 
i i dization initiative 
Security (TLS) is an IETF standar l 
ort nen standard version of SSL. TLS is defined 
ro 


t standard in RFC 2246. RFC 2246 is similar to SSLv3. 
me SSL and TLS protocols are — < 


Ans. Transp 
whose goal is to P 
as a proposed Inte tween 
| The differences be 


MM. 
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(i) Version Number — The TLS record format is i 

SSL record format and the fields in the header have the same Cas tha 

one difference is in version values. For the current Version o (TLS a 

version is 3 and minor version is 1. Si 


(ii) Cipher Snite— Another major difference between 
is the lack of support for the Fortezza method. TLS does not su "U 
for key exchange or for encryption/decryption. Ppor Fo 
(iii) Message Authentication Code — There are two q; 
between the SSLv3 and TLS MAC schemes — the actual a 
scope ofthe MAC calculation. TLS makes use ofthe HMAC 
in RFC 2104. HMAC is defined as — 


HMAC,;(M)= H[(K* @ 
where H is embedded hash functi 


«let 
lgorithm aye 
algorithm den 

q 


g m, except that the Padding 
Concatenated with the secret key rather than being XORed with the 
padded to the block length. 


For TLS, the MAC ca 

following expression — 
HMAC hash (MAC_write_secret, se 
TLSCompressed.ve 


bytes R Length = Hash Size 
iis Fig. 4.24 TLS Function P_hash(secret, seed) 


ion function makes use of the HMAC w ena a | | 
e ppe underlying hash function. As can be seen, e 
eee seni as necessary to produce the required quan ity da =: 
iterated as many cure as possible, it uses two hash a y 
oh e security if either algorithm remains secure. 
that shou 
a. = P MD5(S1, labelljseed) @ P_SHA-1 
PRF(secret, label, seed) = P_ (S2, (ateljeed) 
identifying label and a seed value an 
. PRF takes as input a be E ener iin e 
produces an output of u peii I oraid wana MDS on 
ee ae ther half. The two results are XORed to pro uce 
one half and SHA-1 on the MDS will generally have to be iterated more times 
POE r GEEA = equal amount of data for input to the XOR fncuon, 
Pam Mia yes i ate Types — TLS defines the following certificate 
(v) Client Can! cariilicate Tequest message — rsa_sign, dss_sign, 
types to be ae she dh. These are all defined in SSLv3. In addition, 
tsa_fixed dh an x = 


Iculation encompasses the fields indicated in the 


_num||TLSCompressed typ 
rsion||TLSCompressed engi 
TLSCompressed.fragmen) 
fields covered by the SSLy3 
calculation, plus the field TLS Ë lon, which the version of the 
Protocol being employed. 


(iv) Pseudorandom F. unction — It is referred to as PRF to expand 
secrets into blocks of da 


of key generation or validation. The 
objectiv mall shared secret value but to generale 
longer blocks of data in a way that is secure from the kinds of attacks made on 
hash functions and MACs. The PRF is based on the following data expansion 
function (fig. 4.24), l 


P_hash(secret, seed) = HMAC hash(secref, A(1)||seed)|| 


HMAC _hash(secret, A(2)||seed)|| - 
HMAC hash(secret, A(3)||seed)]]... 


ephemeral_dh, dss_ephemeral_dh and fortezza_kea. 
SSLv3 inti re Hellman involves signing a a baie ls 
i Ephemeral Diftie-He 5 for TLS, the rsa_sign and dss_sign : 
. eat with either RSA or ee aii type is not needed to sign Diffie-Hellman 
A(o) = seed sone a sep 
A function, 
A(i) = HMAC_hash(secret, A(i — 1)) that fu 


S does not include the Fortezza scheme. 


A ! 


xaf ISANG 


i 5 MT ne S ' 


parameters. TL 
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(vi) C ertificate_verify and Finished 
certificate_verify message, the MDS and SHA-] | 
over handshake_messages. For SSLv3 the hash Calculation i 
master secret and pads. These extra fields were fi eltto add no ma h 
As with the finished message in SSLv3, the finished mess i 
hash based on the shared master_secret, the previous handshake 


a label that identifies client or server. The calculatio 
For TLS, we have 


Messa es 
s 1 
hashes are Ç 1 the 


u 
ge in T "y, 


reng 
PRF(master_secret, finished_label, MD5 (hands š: 

here finished_label is th rag (handsh : ae 
where finished_label is the string “client finished for th es)) 
finished” for the server. e client ang « 


hello random numbers. 


of SSLv3 and is defined as follows — 


“master Secret” 
rHello.randon) 


key_block = PRF(master_secret, “key expansion” 


+ S€curityParameters 
server_randoml|lsecurityPara 


meters.client_random) 


(viii) Padding — In SSL, the padding added prior to encryption of 
user data is the minimum amount required so that the total size of the data to 
be encrypted is a multiple of the cipher’s block length. In TLS, the padding 
can be any amount that results in a total that is a multiple of the cipher’s block 
length, upto a maximum of 255 bytes. 


0.83. Explain secure socket layer and transport layer security. > ' 


(R.GP.V., June 2016) 
Ans. Secure Socket Layer — Refer to Q.77. 
Transport Layer Security — Refer to Q.82. 
Q.84. Discuss various alert codes of TLS. (R.G P.V, June 2015) 


des defined in SSLv3 except 
Ans. TLS support all of the alert co 
no_certificate, Nee of additional codes are defined in TLS; of these, the 


following are always fatal — 
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i i in an invalid way; 
; ailed — A ciphertext decrypted inaninva 
yaqan eyes of the block length or its padding values, 
tan 
sper it was NO incorrect. 
pt checked, were d_overflow — A TLS record was received with a payload 
' (i ieeeds 2! + 2048 bytes or the ciphertext decrypted to a length 
x 
whose ee 214 + 1024 bytes. 
e 


of grea" (iii) Unknown_ca — A valid certificate chain or partial chain was 
i z 


the certificate was not accepted because the CA certificate could 
d, but 


receive ted or could not be matched with a known, trusted CA. 
oca 


pot be! iy) Access_denied — A valid certificate was received, but when access 
| saeni the sender decided not to proceed with the negotiation. 
control wa I 


Decode error — A message could not be decoded because a 
Jd was i of its specified range or the length of the message was incorrect. 
field W 


(vi) Export_restriction — A negotiation not in compliance with export 
restrictions on key length was detected. 


(vii) Protocol_version — The protocol version the client attempted 
to negotiate is recognized but not supported. 


(viii) Insufficient_security — Returned instead of 
when a negotiation has failed specifically because the server requires ciphers 
more secure than those supported by the client. 


i d to the peer or the 
(ix) Internal-error — An internal error eon i p 
correctness of the protocol makes it — eet ii i 
inde lerts are the following — 
The remainder of the new a f f 
(i) Decrypt_error — À handshake cryptographic operation “ren 
St i alidate 
including being ab to verify a signature, decrypt a key exchange or v 
inie eel nceled — This handshake is being canceled for some 
(ii) ` User_ca ; 
tocol failure. 
reason unrelated to a pro ‘ation — Sent by a client in response to a hello request 
(iii) No tenen a client hello after initial handshaking. Either of 
or by the server in aa i result in renegotiation, but this alert indicates 
these messages Mg ee to renegotiate. This message is always a warning. 
is no 
— ure electronic transaction (SET) ? 


0.85. What is sec (R.GP.V, Dec. 2003, June 2004) 


Or 


electronic transaction (SET), 
re 


(R.GP.V., June 2009) 
Or 


Explain sect 


on ? Explain in brief. 


nean by secure electronic transacti 
What do you ™ (R.GP.V., Dec. 2009) 
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Ans. Secure electronic transaction (SET) is an open encryption, 
specification designed to protect credit card transactions on the ings ey, 
SET standards were developed collectively by a number of ila N 
including IBM, Microsoft, Netscape, RSA, Terisa, Visa Internatio Mit 
Verisign. Trials and tests were carried out as early as 1996 and the f al, ang 
SET-compliant products were available in 1998. SET is not itself a rs Selo 
system. Rather it is a set of security protocols and formats that enable aym 
employ the existing credit card payment infrastructure on an o Userg 
such as the Internet, in a secure fashion. SET is made 


N Netw 

0 
up of three Services ° 
(i) The provision of a secure chann 

in a transaction. 


` 


el between all Parties involvei 
(ii) The provision of a trust relationship based on 
(ili) The provision of privacy by making info 


X.509 certificates 
any party in a transaction only where and when it is nee 


rmation avaj 
ded, 

predominantly used in web 
(R.GP.V, Jun 


lable to 


Q.86. What security protocols are 


P -based 
electronic commerce ? 


e 2011) 
Ans. The predominantly used security protocols in web-based electronic 
commerce are secure electronic transaction (SET), and 3-D secure, 
SET - Refer to Q.85. Í 


3-D Secure — 3D secure Protocol was developed by Visa. The difference 
between SET and 3D secure protocol is that any cardholder who wants to 


s enrolment server before a cardholder makes 
a card payment. During actual 
receives a payment instruction from the cardholder, the merchant forwards 
this request to the issuer bank through the Visa network. The issuer bank needs 
the cardholder to give the user id and password that were created during 
enrolment process. The cardholder gives these details which are verified by 
issuer bank. Only after the us 


er is authenticated successfully, the issuer bank 
informs the merchant that it can accept the card payment instruction. 


TOGRAPHY AND INFORMATION SECURITY TOOLS — 
| cRY 


FOOT PRINTING 
OLS LIKE ARPING ETC., 
SPOOFING S T EX-NSLOOKUP, DIG, Wiors, ETC) is 
LITIES SCANNING T i.e. a 
pe SCANNER, GLOBAL NETWORK INVENTORY 
| HPI ANER, NET TOOLS SUITE PACK) NETBI 
| soe NUMERATION USING NET VIEW TOO 


0.1. What is spoofing ? Also write its’ different form. 


Ans The term spoofing applies to ac ions that make an electronic 
ransmiss pp orig from somewher e that it does not spoofing can 
. oe 
ion a ear to riginate 
] | “ae . í. . | I : l 
based on e-mail and web spoofs. 


‘ s of spoofing. The first is IP spoofing in whic 
"wes rayana ps is ied when an intruder ai aren 
vau T H ess that indicates, by modifying packet headers, i 
sawapi s ted host. Web spoofing creates a “shadow copy O the 
message is from a truste ent through the victim’s computer while tracking all 
entire Web. This copy . ie Web” including passwords, account numbers, or 
of the ae activities pe t the victim may enter. A third example of spoofing is 
any other information tha oofing occurs when a user receives an e-mail that 
e-mail spoofing. E- Soy pA from a source different from the source that it was 
appears to have aripi ol is used in the Linux platform to send ARP request 
actually from. paca = inaLAN. Itis used to test whether an IP address 
messages to a destina 
is in use or not. 


Vrite short note on IP spoofing. (R.GP.V., May 2018) 
0.2. Write 


t common type of spoofing that you are likely to encounter 

Ans. The mory primarily to spoof the source address of e-mail. In this 
is IP porh ph looks like it comes from one address, when in fact , 
case, an e-mal 


89 CamScanner 


———— 


252 Gyptiersoty & Infarmation Secunty 


comes from somewhere else instead. The intent is t 
the email comes from a trusted source so that th 
and act on it in some way. 


O trick the User; 
e user will ae 
n 


E-mail spoofing can be used to — 


_ G) Delivera phishing mesne (oneth 
confidential informati 1 i i 
= wi = PRRs Replying to the e-mail G; into dš, 
goa Smail will take the user to a PR Tope A 
G Deliver a malware payload ia ka % š i 
horse. The mahvare may come as : manya : 
(sad perhaps executed) or may be coded into th 
e 


needs to do is open th 5 ëm? 
2 email. I ail so 
opened). (The malware installs ; i > all the 


m, orq. 
that must be Pa Na 


maaa reply so indicating 
sends the packet to the MAC address that replied. 


" addressing sch 

Provide a host with ; . £ scheme could als, 

with incorrect information “ARP spoofing a TE : 
constructing 


forged ARP r 
equest and reply packets. By sending forged ARP replies, a target 
go to com ies mes destined for computer A io ; 
Programs “sept sone eenean an ARPipamecing. There are saa 
mate the process of ARP poisoning ~ ARPoison ene 


Pu 
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e the capability to provide spoofed ARP packets 
vission, intercept packets, and/or perform some 
Either enabling MAC binding at a switch or 
RP tables achieves prevention of ARP spoofing. MAC 
so that once an address is assigned to an adapter; it cannot be 
authorization. Static ARP management is only realistically 
mall network. In a large dynamic network, it would be 
the task of keeping the entries updated. ARPWATCH, 
ems, monitors changes to the ARP cache and alerts 


a hav 

site. All three ha 
re fore „direct transn 
ea the middle attack. 


mani . 
l nting static A 
. mei T . 

gl , makes it 
ail without 


ae based syst 

dministrato 
0.4. Write short note on footprinting. 

ootprinting is the first and most convenient way that hackers use to 

tion about computer systems and the companies they belong to. 

f footprinting to learn as much as you can about a system, it’s 

bilities, its ports and services, and the aspects of its security. 


Ans. F 
eather informa 
The purpose o 
remote access Capa 

In order to perform a successful hack on a system, it is best to know as 
much as you can, if not everything, about that system. While there is nary a 
company in the world that is not aware of hackers, most companies are now 
hiring hackers to protect their systems. And since footprinting can be used to 
attack a system, it can also be used to protect it. If you can find anything out 
about a system, the company that owns that system, with the right personnel, 


can find out anything they want about you. 

Footprinting is necessary for one basic reason — it gives you a picture of 
what the hacker sees. And if you know what the hacker sees, you know what 
potential security exposures you have in your environment. And when you 
know what exposures you have, you know how to prevent exploitation. 


Hackers are very good at one thing — getting inside your head, and you do 
not even know it. They are systematic and methodical in gathering all pieces 
of information related to the technologies used in your environment. Without 
asound methodology for performing this type of reconnaissance yourself, you 
are likely to miss key pieces of information related to a specific technology or 
organization — but trust me, the hacker won’t. 

Be forewarned, however, footprinting is often the most arduous task of 
eines determine the security posture of an entity; and it tends to be the 
most boring for freshly minted security professionals eager to cut their teeth 
on somenëst hacking. However, footprinting is one of the most important 


steps and it must be performed accurately and in a controlled fashion. 
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Some of the common techniqu 


es used for infor 
footprinting phase include the followi 


ng- Rather, | 
(i) DNS enumeration and identifi 


"Ə 
Y types of DNS record 
(ii) Nslookup and DNSstuff ` 
(iii) Whois and AfriNIC Lookups an 


su d analyzing Whois 
(iv) Finding the address range of the network 
(v) Using traceroute 


Mation 


(vi) E-mail tracking 
(vii) Web spiders. 


Q.5. Discuss about the active and passive footprinting 


Ans. Active Footprinting — In active footprintin 


Interacts with the system or appli 
System. In the case of active footprinting there is a hi 
target system saves the information Such as IP address. 


the search engines or publi 
from the system. 


0.6. Explain the footprinting tools. 


Ans. The footprinting tools are as follows — 


which are specified on 
command line and should precede nslookup commands. In non-interactive 


ddress of the host being 
searched, parameters and the query are specified as command line arguments 


in the invocation of the program. The non-interactive mode searches the 
information for specified host using default name server, 


One of the powerful tools queries DNS servers for record information. 
Ts included in UNIX, Linux, and Windows operating systems, Nslookup is a 


Unit-V 235 


command-line tool available in many computer 
n 


administron ing the domain name system (DNS) to obtain 
ting, systems ee mapping or for any other specific DNS record. 
oa name or IP à 

om3 


petwo" 


'ç— WHOIS (pronounced “who is”) is an Internet database 
(ii) WHO! tion on domain names including the name servers 
ins nen name, the domain registrar and the administrative, 
sociated cal contacts with postal and e-mail addresses. 
pilling an 


1S is also a tool or an application which searches the domain 

The WHO contained in WHOIS database. It is generally used to check 
name eer of a domain name or the ownership of a domain name. 
either the ae < a to enter a domain name such as sustech.edu (without the 
The tool ae domain is available you will be informed of the same, else, 
Sew displayed one or more details — 


nat cont? 


(a) The registrant information. Details of the person who 
istered the domain name including their postal and e-mail addresses and 
regis 
phone number. 


(b) The contacts — Each domain name is associated with three 
ntacts — Administrative, billing and technical. In most cases, all the three 
co = ; 
would belong to the same person (the registrant). 


(c) The creation and expiration data of the domain name. 


(d) The name servers associated with the domain name. 


(iii) Dig — Dig (domain information groper), part of = eames 
server BIND, is a command-line tool that can be joir ai hain of duet 
is DNSSEC capable and can be used to verify the DNSSEC c a sr 

d a bottom-up perspective. However, we found t! at the 
from a top-down ene all possible name servers for a TLD or authoritative 
current version asw even when glue records are known, when using the 
zone for their A-record, Iting in an infeasible amount of lookups. Hence, we 
top-down approach, resu -up approach using a DNSSEC-capable resolver as 
only used Dig in a passes asss scenario in “Bottom-up measurement 
performed in our se 
Scenario”. 


Vhat are the advantages of footprinting ? 
0.7. ale dvantages of footprinting are as follows — 
Ans. The a 


inting allows hackers to gather the basic security 
(i) ae machine along with network route and data flow. 
; a 
configurations © 


De 


a» MO seta 
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(ti) Once attacker finds the vulnerab 


specific area of the target machine. Ka ii š S to 
(tit) It allows the hacker to į i * 
to hack the target system. siyasi which attack is 
y more " 
0.8. What is Scanning i 


? Di ° 
? Discuss various types of s 
ca 


Ans. Scanning is a syst š "ning + 
of data looking for a mee masus Sweeping ted ets 
proces si ne patiem. Ina netwo a col 
lo ei may Involve a program that sweeps “aa Environment, the lecti 
Fa. 2 Pi Perscular IP address stri gh thousands of jp... 

t é suing that represents a vulnerable Port number. Tesents a Vuln Sa 

Table 5.1 lists the types ae ' - iliy 

three ty scanning 


Table 5.1 Types of Scanning 
Scanning Type 


D - 
Stermines open ports and Setvices 
IP addresses 


Presence of known weaknesses 


(y Port Scannin 
and available TCP, 


— (i) Network Scanning — N 

identifying active hosts on a network, 

security assess i i 

na : oaa “qusa are identified by their individual IP addresses. 

“qaqas cenning tools attempt to identify all the live or responding hosts 02 
network end their corresponding IP addresses. 


etwork scanning is a procedure for 
either to attack them or as a network 


. G Valnerability Scanning — Vulnerability scanning is the process 
9: proactively identifying the vulnerabilities of computer systems o pues 
Generally, 2 vulnerability scanner first identifies the operatin ee and 
version number, including service packs that may be installed ie the 
vulnerability scanner identifies weaknesses or vulnerabilities in the opertis 


ge scanner M 


comi 
checked against a list of patterns, or definitions, supplied and kept up-to-date 


by the vendor. The technique involves simply comparing the contents, which 
cen be done in many ways. Almost all antivirus software packages work this 
way. This approach can, however, be slow and resource intensive. 
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the later attack phase, a hacker can exploit those weaknesses 
in 

in access tO the system. 

invasion detection Sy" (IDS) or a sophisticated network security 

omen the proper tools can detect active port-scanning activity. 

be TCP/IP ports looking for open ports and IP addresses, 

e probes can be recognized by most security intrusion detection tools. 

ad vulnerability scanning can usually be detected as well, because 

ust interact with the target system over the network. 


„sional 


0.9. What are the forms of scanning ? 
Ans. There are two forms of scanning — pattern-based and heuristic 


scamming. 


(i) Pattern-based Scanning —\n pattern-based, scanning all content 
ing into or leaving the network, an ISP gateway, or user PC is scanned and 


(ii) Heuristic Scanning — Heuristics scanning is performed by 


looking at a section of code and determining what it is doing, then deciding, 


whether the behaviour exhibited by the code is unwanted, harmful like a virus 
or otherwise malicious. This approach to scanning is difficult because it involves 
modeling the behaviour of code and comparing that abstract model to a rule 
set. The rule set is kept in a rule database on the machine and the database is 
updated by the vendor. This approach is time consuming because of the 
checking and cross-checking and it is also resource intensive, if not more than 
the previous one. Theoretically, heuristics has many advantages over pattern- 
based scanning including better efficiency and accuracy. It can, potentially, 
detect viruses that have not been written yet. 


0.10. Discuss about the vulnerabilities scanning tools. 


Ans. Some important vulnerabilities scanning tools are as follows — 


(i) Angry IP Scan — Angry IP scanner is a tool that scans network for 
open IP addresses designed for network administrator to check the network 
security. Angry IP scanner is a cross-platform port and IP scanner. The 
application is developed in Java, so it is cross platforms compatible with 
different OS. It isa great program for doing a network audit or for just finding 


out more information about your network. It can locate in any network device 
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cho request packets to the target and listening for ICMP — 
eo -= š 


sod tip time is measured by ping. it moreover records 
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assıve port sc > Net Sende 
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isiter, Adya Ck tra 
connector, Advanced sbbole nced ports, Trojan p 


ano i 
nymous e-mailer, Anonymous e-ma; anonym 
E-mail bomber, E-mai “mailer with attack 


-mail spoofer, Sì su "er, 
pooter, Simple Port scanner 7- Mass, a 


Ans, 


on on remote host 
Vulnerability scanner is br 


EF eak down in i 
Ser Interface, scan engine, sca to four major modules, such as 


a n databases, report generation mo dule 
1) User In iàs i 
terface — This is the part where user interact with scanner 


System to executi 
3 e or configure their scan. This i 
user interf; . This interface can 8 

ace (GUI) or a command line interface (CLI) or "W SB 


‘ie Scan Engine — The scan engine part performance the it 
the singl ased on latest installed plug-ins and payloads. User can wama á 
Bie system scan or multiple host scan at a single time also a 


„ulnerabilit 


of report § 
with 
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ij) Sean Database — The vulnerability database stores all the scan 
vious! performed. The scan database contains all the information 
ort, packet type» services, a potential path to exploit, latest attack 
etc. This may also contain the different techniques to patch the 
and have detailed information of CVE-ID mapping (common 
y and exposures). 


(iv) Report Module — The report module generate the different types 
uch as a detailed report, a list of vulnerabilities, a graphical report 
their recommendation to mitigate the detected vulnerabilities. 


The architecture of vulnerability scanners is shown in fig. 5.1. 


Report 
Module 


User 
Interface 
Scan Database 
Fig. 5.1 Components of Vulnerability Scanner N 


Q.12. Define the term Nessus. 


Ans. Nessus is one of the most popular vulnerability scanners. It is used 
for both authenticated and unauthenticated vulnerability scans. It is suitable 
for both internal and external network scans. It is also performed the scanning 
of web applications. The main advantage of this tool is to perform the multiple 
host scanning at once. The detected vulnerability is categories into four types 
based on their severity levels — High, Medium, Low and Informal. 

A detail scari result is automatically saved as the scanning of desired host 
is completed. The results are expressed into two different forms — first is 
vulnerabilities by plug-ins and second is vulnerabilities by host. Firstly classifies 
the all detected vulnerabilities during scan, and then it shows the list of all 
hosts affected by these vulnerabilities. By using the detailed generated scan 
report, issues can be addressed easily. Then afterward finds the all host in 
scanning phase and their existed julbeeeoilines. 

This report will help sh ee a to address the distinct 
issues associated with individual 2o networks, lts real time active 
scanning provides continuous ne 3 “awana and bridges the security gaps. 
Nessus scan result can be expe nt formats which you desired like 


Do . 
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PDF, HTM, and CSS etc. Nessus is Works on the 


: AzA ring; 
architecture. Each scan session is managed by cli principle eli 
the servers. ent and s len, 
can les ‘ Se, 
Jat, i is q y 
Q.13. Write short note on enumeration me K 


and compiling usernames, machi 


d is th 
hine name © Process 
4 S, ne 0 
Services. It also refers to actively querying or twork resources i ather 
acquire this information. connecting to target res, iy 
The objectiv. : ° 
aii a e of enumeration is to identify a userac ü 
system admi vi in hacking the target system. It torg 
"ë w ministrator account, because most ee 1S not necessa Ñ: 
allow the account more access than was was ees can a 
Many hacking t Usly granted ateq 
NetBIOS mite dan iss designed for scanning IP netw 
NetBIOS computer nam or each responding host, the tiol > 9 locate 
©, 'ogged-in-username, and MAC add © SIP adres 
i; . Te: H oo 
0.14. Discuss about the null Sessions. SS Information, 


Ans. A null session 
occurs w i 
or password. NetBIOS null sessi "asa oe 


€mpty quotation marks ("in 


dicate th 
and no password. ii 


Once the net use 
> command h. 
hasa channel nd has been successfully completed, the hacker 


Over which to use other hacking tools and techniques 
0.15. How can NetBIOS enumeration using Net 


Ans. Many hackin i i 
g tools are designed for scanning IP tw 
NetBIOS name inf i š a networks to locate 
ormation. A 
Ne on. For each responding host, the tools list IP ad diss, 


IOS computer name, logged-in username, and MAC address informatio 
n. 


View tool ? 


a. 
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in, the built-in tool net view can be used for 


ma 
ws 2000 do merate NetBIOS names using the net view 


indows | 
on? eration. To ied 


petBIO yee the following at the command prompt 
comm? š į viewldomaln 
dress 
nbstat -AIP es, is a great example of a built-in enumeration tool. 
e net vic siç simple command-line utility that will list domains 
et view is a oak and then lay bare all machines in a domain. Here’s 
available ont j domains on the network using net view — 


how 


to enumera ! 
CA>net view/domain 


Domain 
CORLEONE 
BARZINI_DOMAIN 
TATAGGLIA_DOMAIN 
BRAZZI 
The command completed successfully. 
Supplying an argument to the /domain switch will list computers in a 
particular domain, as shown next — 
C:\>net view /domain : corleone 


Server Name Remark 
nS 

ano Make him an offer he can’t refuse 
\\MICHAEL Nothing personal 

\\SONNY Badda bing badda boom 

\\FREDO I’m smart 

\\CONNIE Don’t forget the cannoli 

For the command-line challenged, the network neighbourhood shows 


i i ds. However, because 
: information shown in these comman . | 
pre arr of caine to the browse list, we think the command-line 
of the slu a 

tools are snappier and more reliable. | 

ther great built-in tool is nbtstat, which calls up the NetBIOS name 
Another 

table from a remote 
as shown in the fol 
C:\pnbtstat — À 1 


system. The name table contains a great deal of information, 
lowing example — 
92.168.202.33 
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Local Area Connection : 


Node IpAddress : [192.168.234.244] 


Scope Id: [ 
NetBIOS Remote Machine Name Table 
Name Type Status 
Ges. a EN 
CAESARS <00> UNIQUE Revistere 
VEGAS2 <00> GROUP Registered 
VGAS2 <l GROUP Registered 
CAESARS <20> UNIQUE Registered 
VEGAS2 <1B> UNIQUE Registered 
VEGAS2 <IE> GROUP Registered 
VEGAS2 <1D> UNIQUE Registered 
---MSBROWS E. <01> GROUP Registered 
MAC Address = 00-01-03- 27-93- 8F 


Q.16. Discuss the various types of NetBI 


get system as a null user with the net u 
users, groups, NTFS Permissions, and fi 


(ti) Hyena — It is a tool that enumerates NetBIOS Shares and 
additionally can exploit the null session vulnerability to connect to 
System and change the share Path or edit the registry. 

(iii) SMB Auditing — [t isa Password-auditing tool for the Windows 
and Server message block (SMB) platforms. Windows uses SMB to 
communicate between the client and server. The SMB auditing tool is able to 
identify usernames and crack Passwords on Windows systems. 

(iv) NetBIOS Auditing 


— It is another NetBIOS enumeration tool. 
It’s used to Perform various security checks on remote Servers running 
NetBIOS file sharing services, 


the target 


0.17, What is SNMP enumeration ? 


Ans. SNMP €numeration is the 


accounts on a target system. SN 
components for communication — 


process of using SNMP to enumerate 
user MP employs two major types of software 


the SNMP agent, which is located on the 


“w 
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i i icates 
agement station, which communic 
an 
NMP m 
the S | 
| j switches 
a ructure devices, such as routers ae i 
pami an SNMP agent to manage t er : 
in 
t ee sends requests to wae sian 
a i configur 
apne and replies es ° eee 
M i0 
es. V software. Lani a 
J ee cessi rtain variables. Traps let th 
' an for ce 
jables lues 
yari? to set vall sami | 
ma merc fai a rking device. 
r pitt sae bles, which resides on the networking 
| Š i jables, 
tor n var] 
rebo? 


SNMP 
configure the ! 
words we can use to a - ad community string. 
SNMP has mope t station. The first is called a 
nagemen 
m the ma 
gent fro 


: tem. The 
i e device or system. * 
view the configuration of i for changing or editing 
mis password "aka ad/write community pa! It read community string 
1 ! . d the Te the efau 
alle ice. Generally, ace A common 
cond 18 calls the device. ‘satan is private 
x configuration i ult read/write community pii = left at the default 
is public and the defa s when the community strings 
is Je occur 
ity loopho 
security 


i hange the 
to view or chang 
n use these default passwords 
ings — A hacker ca 
settings 


device configuration. 
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FILES, BLIND Aio 1 
P STEGDETECT, STEE CTION TOOL, STEGSPY 


j hy ? 
is it differs from cryptograp 
? How is it differ er V, May 2018) 


is to be kept 

ilitates hiding of a message that 3 T ipa 

gann grma as steganograp i eae used 

x ee itself. ay rate handwritten 

ealment of the secr inks, minute variation tiny pin punctures on 

conc dures like invisible handwritten characters, y ietin graphic 

procedu pencil marks ne messages are hided by peop Oca mains 

aaa oea racters, etc. Sect r that user has a secret message ae 

specific cha ample, conside User can replace the last two rig! ae 
images. ante taken by oo. bits of his secret message. The r 

image file c 


0.18. What is steganography 


Ans. A metho a 
secret inside other mess 


; retm e inside. 
f that image tagcat as well as contain a secret messag 

o i 

each byte ok too 


tlo 
image would no 
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The opposite trick w 

! 'ould be d 
two bits of each byte ofthe rai by the Teceiy 
represents this message. 


1010101010 


= nabl 
= oss ese invisible sia Pass undetected. TI ™ with; 
sound awa. Thisis now achieved ° Or taking the first let ois his w 
whe e. The methods of stegan y hiding the Message a "B hwo 
eee methods of sae 22 Conceal the Als ° picsa 
y various transfoma a 7, Ender the nce ofthe mes 


egan 
message N Sanography — 
Se In an Ima > ly The 
limitati : ge file is kn -€ Process of c, A 
4 ons like you Own as image Oncealing the secret 


(iii) Network 
] ` Ste, anog š 
modification of a slaps = grapi — Network stegano 


PR. 


rt 
yn of the a” io 
W p) Text Steganograp 1 
y 


cks £0 
etl detected by 


measurement S 


inform Aia 
for stegonagraphy must be robust to statistical attacks. 
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anography — In audio steganography audio is used as 
i information it is also very robust in nature but with 


g hide ynt of data one can hide. 
Secret data is hided in a text file. This 
s and is not that much efficient in hiding the data. It 


pustnes : 
the eyes of intruders. 


30. Des cribe the steganography measures. 
ge 
Ans: The ste 
(Im perceptibility — Asteganographic process is imperceptible when 
eye cannot distinguish between the cover image and the stego image. 
an 


(ii) Payload — It indicates the amount of secret information that can 
mbedded in the cover image. The embedding rate is given in absolute 
: uch as the length of the secret message. 


ganography measures are as follows — 


(iii) Statistical Attacks — The process of extracting the secret 
ation from the stego object is known as statistical attack. The algo used 


(iv) Security — Security ofa steganographic system is defined in terms 


ofundetectability, which is assured when the statistical tests cannot distinguish I 
between the cover and the stego-image. 


(v) Computational Cost — Data hiding and data retrieval are the two 
parameters used to figure computational cost of any steganography approach. 
Information concealing time alludes to the time required to implant information 
inside a cover video edge and information recovery alludes to extraction time 
of mystery message from the stego outline. 

(vi) Perceptual Quality - Increasing the payload degrade the quality 
of the video so approach should be used such that the quality should remain 
intact to avoid it from getting in sight. 

0.21. What are the uses of steganography ? 

` Ans, The uses of steganography are as follows — 

(i) Steganography can be a solution which makes it possible to send 
howe and information without being censored and without the fear of the 

Ç " k to us. 

messages being intercepted and Weed bae aa 
(ii) luis also possible to simply use steganography to store information 
ona location. For example, sevem information Sources like our private banking 
information, some military secrets, can be stored in a cover source. When we 


P 
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are required to unhide the secret information j 


reveal our banking data and it will be impossible to Prove the oy; Sean tay 
military secrets inside. 'Steneg ony! 
re t 
(iii) Steganography can also be used to imple 
Although the concept of water 


audio or video files be 
used to hide this. 


(iv) E-commerce allow 


s for an interestin 
Current e-commerce transa 


| 8 use of ste 
ctions, most users 


are protected b au 
of verifying that th is th 
r. Biometric finger print s I 


option to open e-commerce transacti 


rnet websites. 
0.22. What do Jou mean by merge streams ? 


Ans. Merge streams shows 
Excel Workbo 


any crypto and is not Secured e 
How to Hide 
Step 1 — 


nough, but is a smart trick. 


Open Merge Stream Software 
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ffice File aa 
rowse the MS O hich you want to hide inside MS Word 
2 axcel w 
step 2 select the Excel 
sep? Click on Merge 
ep 4- 


kernel.com 
Kernel Resources : www.nt 
-NT Ke 
e 


ree E EEA =s 
H Hide MS Excel inside MS, | Browse! 
Usors\Raaz\Desktop\How to Hide d 
: [e 9 
MS Word : 
h 1S y 


| [Browse 
—r rrF rss 

1: | GAceh\weblinks.xis — i caesar 
sil eeel [Cancel] [About 


Fig. 5.3 


fil . | 


Now, | 
. i en with 
me er MS Office Document and on the option op 
i ick on 
Right Clic | 
and then choose MS Office Exce 


0. Cuss the steganogra hy chniques or image hide. 
te fi u g 
.23. Dis 


of 
. is is a more complex way 
in Technique — This is ions are 
; acy Domain Tec š transformation 
| 4 ee image various algorithms ene embedding can 
hiding, imiormahon inan 1 tion in it frequency domar ber of 
i to hide informa iques for which a num 
used on the image dding technique iñiedinto— 
in of embedding : classified into 
be termed as a N ei frequency domain are broadly pan 
ac Fourier Transformation eae ad aaa 
i 0 i ue. 
(a) peer uency component for each pixe shee MENE 
em ED sispa ww i) te mu 
i nsform in transform. . 
Fourier tra ation for frequency pome : hnique — The discrete 
defined in equ Cosine Transformation Techniq 
iscrete Co 
(b) Discre 


i i into elementa: 
š nverting a signal in ry 
; hnique for co 
T) is a tec: 


i in image compression. 
cosine transform a It is widely used in imag 
frequency components. 


(c) Discrete 
is an 
wavelet transform (OWT) 

discretely sampled. 
ii ial 

(ii) Spat 
rec 

steganography’ à di 


let Transformation Technique — A discrete 
2 hase transform for which the wavelets are 
y 


in Methods — There are many versions of spatial 
ni ge some bits in the image pixel values in hiding 
tly c 


Vas 
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data a directly change some bits in the ima 


ge pixel values in 
domain techniques are broadly classified 


hidj 
into — "ed 


Ala, g 
(a) Least Significan 
bit in a series of numbers in bin 
string. For example, in the binary 


is the far right |. Here the secret it 


t Bit — The least significant bit; 
ary the LSB is located at the isthe 
number — 10111001, the least ‘i righ 
iformation is stored in the LSB op 

(b) Pixel Value Differencing — The Dixel-value i n 
(PVD) scheme provides high imperceptibility to the stego i | 
two consecutive pixels and designsa quantization range tab] 
payload by the difference valuc between the consecutive pi 

(c) Edge Based Data Embeddin 
all the edge pixels in an i 


mage. Here, we first 
masking the two LSB bits in the cover j 


xels, 
8 Method — In E 


A , wi 
calculate the Masked į te 


map, 


to scramble the data wi 
9.25. Define the Sollowing terms — 
(ü) S-Tools 
(ti) Steghide 
(iii) Steganos 
(iv) Stegdetect 
(v) StegoStick, 
Ans. (i) S-Tools — The S-Tools spread a message over the whole carrier 


medium. S-Tools is a steganography tool that hides files in BMP, GIF, and 


EEE 
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f S-Tools and drag pictures and sounds across 
yorar 


ou open UP 4 an them over open sound/picture ssa ma 
ay files: qe files you Jus ne sound/picture and your data is compresse . 
fo ‘tiple files in 0 den. Multi-threaded operation means that you c 
ote ted then x ‘ions going simultaneously without fear of them 
k a P delreveal operati up your work. You can even close the original 
ye ar w ies to ongoing threads. Encryption services come 
el w 


ide i ble to hide data in various 
¿qe — Steghide is a program a 
Sehit e A BMP, WAV and AU developed by si 
image and ae estat sample frequencies are not changed thus T 
ezl. The alone oo against first-order statistical tests. [t can be use 
bedding re 
fhe em 


h files for hiding or revealing files. 
bate 


(ii) 


A - in evi 
i) Steganos — Steganos uses the alc prea ReEnn 
(ili ion options make hiding photos, 
' advanced encryption op ; laptops 
coe eo A a an invaluable tool when you AR Oe p 
man aia everyday. Hardware is replaceable. Your da 
are lost OF S 


to embed data in Macintos 
. hy tool that enables you ‘ze of the PICT file. 
Stego is a steganograp ing the appearance or size o 
ithout changing the appea : ted data 

abana “qukar as an “envelope” to hide 7 peie encryp 

O Ç . e a 
Granet file, making it much less likely to 
ile , 


a: is image files for 
is a utility that analysis ima; 
i ct — Stegdetect 1s 4 statistical tests to 

ie developed by Niels germs to find the system 
sieganograp ographic content is present, P eA 
a ee “s embed the hidden ` arte Out of the three other 
that has been use Windows a i 

ilati sources to à be executed from a batc 

ade of ae is the only one that can 
steganalysis too f 
file. d open source steganographic tool, lets 
oy image, audio, video steganography 
ased eon (BMP, JPG, GIF), Audio/Video 
“a (PDF. EXE, CHM, etc.). 


(v) StegoStick — aqa 
you hide any file into any h = 
that hides any file or mess g 


ther file fo ' 
tc.) or any 0 nalysis. 
pen - detail about the st680 
in in 


ecting steganography by looking 

0.26. Expla ess of det Salle sp 

nalysis is “the eet d unusually large file sizes”. It is the art of 
Ans. Stega een bi atterns convert messages. The goal of steganalysis 

at variances betw 


dering 
discovering and ren 
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is to identify suspected information st 
have hidden messages encoded into th 
information. Unlike cryptanalysis, w 
data contains a message, 


reams, determine w 
em, and, if poss 
here it is evident th 


hether or 
ible, Teco 
at intere 


Not fi 
Ver the hy 
Ç Pted eng Ch 


Embedding 
Function 


Extracting 
Function 


110010100011 1100101 
101100011101 101100011181 
Secret 100001011011 Extracted 100001011011 
Message 100110101000 Message 100110101000 
111001000111 111001000111 
100001101011 100001101011 
Fig. 5.4 A Graphical Version of the Steganographic System 
Steganalysis generally start 


S with several Suspect informati 
uncertainty whether any of these 


Steganalysis Techniques — Hiding information within an electronic 
medium cause alteration of the 


medium Properties that 
form of degradation or unusual characteristics. 


(i) Unusual Patterns — Unusual patterns in a Stego image ‘are 
Suspecious. For example, there are some disk analysis utilities that can filter 
hidden information in unused partitions in storage devices. Filters can also be 
used to identify TCP/IP packets that contain hidden or invalid information in 
the packet headers. TCP/IP packe 


ts used to transport information across the 
Internet have unused or reserved space in the packet headers, 
(ii) Vis 


identification of 


Can result in some 


ual Detection — Analyzing repetitive patterns may reveal the 
a steganography tool or hidden information, To inspect these 
patterns an approach is to compare the original cover image with the stego 
image and note visible differences. This is called a known carrier attack, By 
comparing numerous images it is possible that patterns emerge as signatures 
to sa anography tool. Another visual clue bg Presence of ies 
i as ing or cropping of an image. With some Stego tools if an 
Say aioe mae ize it is cropped or padded with black spaces. 
image does not fit into a fixed size it is 


P> x 


hore may 
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i the 
difference in the file size between the stego-image and 
i 
also be a 


! i number of 
her indicator is a large increase or decrease in the 
ther 1 
image. ANO 
imag 
over 


Weg ; ly rather 
lours in a palette which increase incrementally 
e ye colours, OF bia 


pan randomly. 


cabl; val of 
f Is to Detect Steganography — The disabling or ere ws 
(iti) a in images is dependent on the image processing tec a the 
hidden naqa si LSB methods of inserting data, simply nee s, den 
le, w ioii disable or remove the 
for examp compression is enough to . has 
, g lossy : aphic detection tools suc 
image usin several available steganograp ee 
message. oe Software Inc., [Look Investigator by electronic crimes 
jaan Kalen DC, various MDS hashing utilities, etc. 
program, 


0.27. Write short note on StegSpy. 


i llows 
i is always in progress that a 
Spy is a program that is a =. 
ale e So a file, detecting steganography a Pi sena 
x the message developed by Spy-Hunter. Currently it ide 
use 
following programs — 
< (i) Hiderman 
(ii) JP hide and seek 
(iii) Masker 
(iv) JPegX 
isi crets. 
x setae application therefore it does not ma batch file 
. s 
det a ss the location of the hidden content as we 
ete ; f 
OLS (I.E. NETSTAT, FPORT, | 
i UT i ON TO | 
SE ae DET SORTS TOOLS, PROCESS VIEWER), LAN 
> TCPVIEW, CUI 


i 


TOOLS (I.E. LOOK@LAN, WIRESHARK, TCPDUMP) I 
SCANNER TOC Sey - 
° 


=—== 
TT" 


j e. 
0.28. Write short note on Trojan hors 


¿ç a malicious program disguised as something benign. 

Ans. A Trojan weet d along with another program or software 
Trojans are often down stem, they can cause data theft and loss, an 
Once installed on a G they can also be used as launchin 
cakes oF waaka e Denial of Service (DDOS). Ma 


package. 
d system 
& points for other 
ny Trojans are used 
i te 
to manipulat 

commands, inte 
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infected hosts. Sophisticated Trojans can connect th 
or announce the Trojan infection on an Internet 
Table 5.2 lists some common Trojans and their d 


emselves to the; 

Iori: 
Relay Chat (IRC) Binay, 
efault port number, anng, 


Table 5.2 Common Trojan Programs 


BackOrifice 
Deep Throat 
NetBus 
Whack-a-mole 
NetBus 2 
GirlFriend 


31337 or 31338 
2140 and 3150 
12345 and 12346 


12361 and 12362 
20034 


21544 
Masters Paradise 


3129, 40421, 40422, 404 
and 40426 


23, 


omewhere on the computer, start listening 
ions from the attacker, modify the registry 
method. 

It’s necessary for the attacker to know the victim’s IP address to connect 
to his/her machine. Many Trojans have features like mailin 
well as messaging the attacker via ICQ or IRC, This is used when the victim 
has dynamic IP which means every time you connect to the Internet you geta 
different IP (most of the dial-up users have this). 


on some port(s) for incoming connect 
and/or use some other auto starting 


g the victim’s IP, as 


Most of the Trojans use Auto-Starting methods so even when you shut 
down your computer they're able to restart and again give the attacker access 
to your machine, New auto-starting methods and other tricks are discovered 


(PB 


meth 


files are p. List the different types of Trojans. 
0.30. 
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w | 
¿atv starts from “joining” the Trojan into some hak 
pata explorer.exe, for example, and goes to the fie 

dif fie the system files or the Windows Registry. Sys 
modily! 


i ks. Some 
can be created and used to perform different attacks. S 
ans 


Ans. Tro! mmon types of Trojans are — 


most co | . 
= ) Remote Access Trojans (RATS) — Used to gain remote acce 
(i 


toa system. 


d 
(ii) Data-sending Trojans — Used to find data on a system an 
ii 
deliver data to a hacker. 


a 
(iii) Destructive Trojans — Used to delete or corrupt files on 

i 

system. | " 
J (iv). Denial of Service Trojans — Used to launch a denial or servic 
attack. t 


is i j designed to use 
jans — This is a type of trojan horse ' 

v) Proxy Trojans — T pe c ee | 
the vi a computer as a proxy server. This gives the attacker an opp Ñ gu i 
fal rything from your computer, including the possibility of con a a 

> iviti em 

ab: ard fraud and other illegal activities, or even to use your sys 
credit c Í AH 
launch malicious attacks against other netw ork 


. Trojans — Allows the attacker to use someone else’s 

(vi) FTP Troj ‘er, Installing this Trojan onto your computer would 
computer S aaie diploo files from his PC to yours, which could 
sa een er more installation of malware. 


isabler Trojans — Used to stop antivirus 
V Awa ity Software Disa 
ú (vii) Security 
software.’ . 
0.31. Discuss the various tools of Trojans. 


oni lication that has been modified with malicious code. 

` ' Ans. A legitimate a ahaa technique. It masquerades as a legitimate 

A Trojan horse isa ean victim’s host with an access point, or a client that can 

download and ee we er waiting remotely. They don’t necessarily exploit 
connect outbound to : 


s privilege escalation is necessary, They providea command 
a vulnerability ue at connects to them that includes — 
rw 


ve fo u 
environment iewer, and many, additional tools, 


eb cam v 
keyloggers, web AN. 


e] CamScanner 


File browsers, 


Terms- 
(i) Wrapper or 
binder 
(il) Rootkit 


(iii) HTTP Trojan 


(iv) Netcat 


(v) 


Hoax 


(vi) Keylogger 
Famous Trojans Tools — 
G) Tini 
(ii) Loki 
(iii) Netbus 


Gv) Sub7 
(v) Back orifice 


(vi) Beast 
(vii) MoSucker 


(viii) Nuclear RAT 
(ix) Monkey shell 
commands 
Detecting Trojans Tools — 
G) fport 


(ii) tepview 


Application used to Combing 
' a 
binary and a legitimate Progra iù 
m 


Can be installed via Troj 


Processes that crea 


Reverses a connec 


an, Use, 
te backdoor 


tion Qutboun 
an HTTP or SHTTP tunnel. 


Not really aTrojan, bu 
code to setup the list 
Many legit tools are 
but might Not be. 

Records the keystrokes 
and saves them ina lo 


rumored to be Trojan 
S 


on the install host 
g. 


Small 3 Kb fi 


le, uses Port 7777, 
Used ICMP 


asa tunneling Protocol, 
first RATs (Rem 
Cation Trojan), 


Written in Delphi, €xpanded on what Netbus 


Ote Authenti. 


had demonstrated. 


First modular malware, had the Capabilities 
to be expanded on by outside authors. 
All in one client/server binary. 


Client could select the infection method 
for each binary. 


Reverse connecting Trojan. 
Provides a powerful shell environment, 


that can reverse connections and encrypt. 


Command line tools for Viewing open ports 
and connections. 


GUI tool for viewing Open ports and . 
connections. 3 


fe aN 


GUI tool for showing open processes 
iewer — 
cess VIE 


Gi) Pro including child processes. 


— Lists all programs that will run on start 


(iv) Autore? up and where they are called from. 


g is | 
(vy) Hijack tht and files on the drive. 
i tS&D - 
oc and detection tool. 
0.32 Write short notes on — 
| (i) NetSTAT 
(ii) TCPView 
(iii) CurrPorts. 


i i i stem that 
tSTAT — It is a network based intrusion a: A oti 
ne n i i s on a hi 
E i transition analysis technique. It caer ae oie 
aed: ition analysis describes computer pe sara 
se iets ise a system. This sys 
oem ttacker to compromi: a 
| saa bes. Probes are 
ai w spa detection components known z =. ar etal 
awas mes d a filter module is use c i 
a in iti i single probe ca 
“apina ener in a state transition scenano. eas Eep "e 
i se I : k 
a He m ttacks, it does not interact with senor 
ee eae es Ww. intrusion scenario into sub-si 
S 
analyzer decompo I ae 
one can be detected by a single p 


i ou 
FeV Winn op tat vl hw yo 
(ii) TCP ee and UDP endpoints on em in 
iled listings of a nnections. 
er Peo addresses and state of TCP co 
ocal an 


the name of the 
CPView also reports i 
isi i i ative and 
On Windows NT, w“ oint. TCPView provides a more ws chs 
process that owns the se ie of the Netstat program tha P 

: nte 
conveniently prese 
Windows. 


CurrPorts displays the list of all currently a 
(iii) CurrPorts ae your local computer. For each port in T a I 
TCP/IP and UDP ports a that opened the Port is also displayed, inclu ats 
š tion about the ar of the process, version information of the proce 
5 name, full Eaton and so on), the time that the Process was created, 
ile desc’ d 
(product name, fi 


it. 
t created 
ser tha 

and the u 


Displays a list of unusual registry entries 


Originally volunteer supported scanning 
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tic and manual network configuration 
atic 
In addition, CurrPorts allows you to close unwanted 


(e) Autom 
kill the process that opened the ports, and save the TC 


Cor Network statistics and graphs 
Mey: 
nd: P/UDp Ports ing (0 file export (text and HTML) 
to HTML file, XML file, or to tab-delimited text file, tm (g) Proti , 

CurrPorts also automatically mark with pink colour Suspi ious (h) Advanced trapping 
ports owned by unidentified applications (Applications Without PUD ‘i Network log 
information and icons). “Sig S Network tree view 

CurrPorts is a free software application from the Networ (i) Ne 
subcategory, part of the Network 


& Internet category. The app ig oti 
available in English and it was last updated on 2020-07-28. The Progra! 
be installed on Win2000, Win7 x32, Win7 x64, Win98, WinVista, Win” 
x64, WinXP. Ista 


(k) Proof single node scan 
(J) Reporting. 


CurPorts (version 2.62) has a fi 


$ is, software and 

in C. It is used for network troubleshooting, apaes sical 
«io written in Ç. d education. Origina 
itis written ; tocol development, an k 

: s protoco 3 to trademar 
gian 1006 the project was renamed Wireshark vit x ene 
Ethereal, in I imilar to tcpdump, but has a grap 
ireshark is very si 

issues. Wires 


le size of 97.91 KB and is available ç 
ck the green Download i 


that the download link to be safi 


e 
recommended that you scan the downloaded software with 


an i i 0 tions. 
Scanner to I lus some in gr sorting and filtering p 
0. 3. Discuss the L ' your antiy te ated ort 


: that support 
terface controllers 
to put network in oe int 
; k allows the user visible on 
5 into that mode, in order to see ee aea 
promiscuou t just traffic addressed to one of the interface s j paneer 
E ee traffic. However, when capturing w 
and broadcas' 


c 

: de on a port on a network switch, not i cs pare 
in promiscuous mode or h will necessarily be sent to the po i 
header data present traveling through the switch will in promiscuous mode will not necessarily 

in the packets, usually such filtering specifies simple criteria for the IP addresses capture is being done, so capturing 1 ee Port mirroring or various network 
and ports present in the packets. These Passive network sniffing programs be sufficient to see all traffic on the ne 
have been developed for either wired or wireless network measurement, the 
best-known are tcpdump and Wireshark. 


i i s are extremely 
to any point on net, simple passive tap 
o 
taps extend capture | 
— Lo ng. 
La resistant to malware tampering 
(i) Look@Lan ok@Lan is an advanced network monitor that 
allows you to monitor your n 


et in few clicks, Extremely easy to use and very 
fast in discovering your network’s active nodes. Full of relevant features such 
as auto-detect of network configuration, monitoring, reporting, trapping, 
Statistics and graphs, network tr 


ee view, network log, Proof single node scan, 
os detection. Main features of Look@Lan are as follows ~ 


(a) Auto-detect of network settings 


is is a common packet analyzer that runs under 

(iii) Tepdump — T tool ported to several platforms. It allows the 

the command line and o /IP and other packets being transmitted or 
hich the computer is attached. Tcpdump works 
id headers and matching them against a set of 


user to intercept and pad 
received over a network p 
by capturing and displaying 


criteria. UNIX-ike operating systems — e.g. Linux, BSD, Solaris, 
t à thers making use of the libpcap library 
It runs on mos d AIX amongst 0 
(b) Scanning of one or more scan-ranges peas HP-UX an 
twork profiles e packets. 
(c) Complete management of ne to captur 
(d) World’s faster node discovery scan 


Gons TO TE 
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DoS ATTACK UNDERSTA 


AT NDING TOOLS — 
LAND AND LATIERRA, TARGA, NEMES 


JO 
| NEMESY 
CRAZY PINGER, SOME TROUBLE, UDP LOS PANT 
(A FSM 


0.34. What do you understand by DoS attacks >? 


ame employed for iaa 

disruption of the computing services of the Tkm we, . 7 inte Ptio 

A DoS attack attempts to prevent legitimate users "wa, ot Servic 0 s 
network resources. It can take the form of floodin in Ank cen 
traffic so that legitimate messages cannot get throw, A TK or se r w. 
Server. DoS attacks exhaust the computing Bis an brin om, 
communication bandwidth of their targets sa eae 

One version of this atta i 


websites of high-profil 
being raised, an advan 


unacceptably high. 


0.35. Write short note on DDoS. 


0.36. Discuss in brief the various types of DoS attacks, 
Ans. Some of the DoS attacks are as follows — 


Am 


‘aylats a ' A 
poo destination à 


spoofing 


of spoofe 
proadcast mu 
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fing- IP spoofing is forging of an IP packet address. In 
i) IP sak s in the IP packet is forged. Since network routers 

ource a! ddress to route packets in the network, the only time a 
s by the destination host to respond back to the source 


S 


i . . 
s oa urce IP address causes the responses to be misdirected, 
the s 


st $0 forging . 


blems in the network. Many network attacks are a result of IP 
robie 


i intruder sends a large number 
+ ‘Attack — In this attack, the in 
(ii) aes isin requests to broadcast IP addresses. Hosts on the 
z te IP network, say, respond to these bogus requests with reply 
Echo This may significantly multiply the reply ICMP Echos to the 
P echo. 
er with spoofed addresses. 


(iii) Buffer Overflow Attack — In this attack, the attacker floods a 

hosen field such as an address field with more characters than it can 
sasa e These excessive characters, in malicious cases, are actually 
. a which the attacker can execute to cause havoc in the system, 
"was ving the attacker control of the system. Since anyone with little 
ane of the system can use this type of attack, buffer overflow has become 
A of the most serious classes of security threats. 


(iv) Ping of Death Attack — This vulnerability is used ia wee 
systems so that no user could use its services. A system 1 eae 
packets that are larger than the 65,536 bytes allowed by the I ae af vies 
operating systems, including network operating hae canno 
oversized packets, so they freeze and eventually crash. 


ck uses a program that causes 
(v) Teardrop Attack- The “awo samasaa i Hia 
fragmentation of a TCP packet. It explo 
system to crash or hang. amisi opii T hni 
(vi) SYN Attack — The handshake, the client sends a SYN packet 
[ee Way ket with a SYN ACK packet. Then the 
to the host, the host replies on EE 
client responds with a TCP A several SYN packets are sent to the server but 
Now, in a SYN attack to š d source IP address. When the target systems 
all these SYN packets have 3 ith bad IP addresses, it tries to respond to each 
receives these SYN ES ok acket. Now, the target system waits for a ACK 
one of them with a SYN eee address. It queues up all these requests until 
message to ee cae The requests are not removed unless and until 
it receives an A 


handshake. In a normal th 
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the remote target system gets an ACK 

or occupy valuable resources of the target Machine 
To actually effect the target System, a large number 

have to be sent. Since these packets havea Q 


bad sourc Ad |p 
elp 
up resources and memory or the target system and event. they Wey, 
reboot the system. Ventually 


c Ug 
rash, huy, 
o 


Message, Hence, these 


“queg 
Sly la 
Gy 


d 


Paka 


A land attack is same as a SYN attack 


i » the only q; 
instead of a bad IP address, the IP address of the bias "eso Ce being y 
es m a 
(vii) SYN F looding — A three IS Used, 


source addresses. 


Š 
P and the victim 


an be brought down. 


y Significant damage to the victim system, and the 
with a simple reboot. 


a program that s 
CMP echo or illegally 

(ii) Burbonic — This DoS exploit attempts to victimize a Windows 
2000 machine 


by sending a randomly large number of TCP packets with random 


settings with the purpose of increasing the load on the machines so that it 
leads to a crash, 


Jolt 2 — This is ends a large number of identical illegally 
fragmented 1 


fragmented UDP packet. 


(iti) Land and LaTierra — 


IP address of Packet with IP addres 
destination a 


packets, 


Land tool sends victim request by spoofing 
s of victim. Since IP address of source and 
re same, system crashes as system starts flooding itself with 


Mia. 
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orks as Land tool but it sends TCP packets to more than 
a also w 


a-Targaisa collection of 16 different DoS attack programs. 


(iv) Targ ge attacks individually as well as in a group and can damage 


can launch the 


network instantly. 
a 


sey -Nemsey is the DoS attack tool whose presence specifies 

M a a and infected with the malicious software. It is a GUI 

the computer IS ori can deplete the bandwidth of the victim server. It does 

pased wie ne multiple sources and spoof the ip addresses. It attempts to 
not gene 


han attack with a specified number of packets of specified sizes. 
launch a 


(vi) Blast — Blast is TCP services stress test tool but can also be used 
for launching DoS attack against unprotected server. 
0 


(vii) Blast20 — Blast20 is the DoS attack tool is called as the TCP 
rvice stress tool is able to identify the potential weaknesses in the network 
se 
servers instantly. 


It is command line based tool which has the ability to exhaust the eure 
of the victim server. The parameters required to launch attack are targe 
address, start size and end size of the packet. 


viii) Panther — A UDP based DoS attack tool that can flood the 
specified í i a particular port number. It takes IP address w ae 
to launch the attack. This tool is the windows based. ae a speti a 
deplete the bandwidth of the victim server and a nae 
and TCP types. However, it is not so powerful a ; 


ker to perform a UDP based 
= r 2 tool allows the attac 

wanmi o. Also, this tool helps the attacker to crash the 
attack on a 28.8- 


tar e i y i ts. 
w too man connection reques 
TV i th server ith 
get server by flooding 


inger is the DoS attack tool which can 
(ix) Crazy Pinger- ye o1CMP packets to the victim machine 
launch attack by sending work. Crazy Pinger is the GUI based attack tool that 
or to the large remote ne s and can exhaust the resource and bandwidth. This 
can spoof the ip ena and is effective over the multiple platforms. 
kind of tool is easy 


This is a remote flooder. It is also a simple 
(x) Some ar cil (a) mail bomb (b) Icq bomb (c) Netsend 


program with three remote 


flood. 
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Ewmnll a 

ee 

WADD : i 
Option Menu; 


D Mail Bombing 


D ICQ Dombing 
D Netsend Flood 
D Startup 


(xii) FSMax — FSMax is the DoS attack tool which can be used to 
test the stress of the network and to test the Server to buffer overflows which 
may be exploited during attack, text file is accepted as the input which is 


executed through a Sequence of tests based on the input. FSMax has the ability 
to exhaust the resources of the victim server. 


T 2011 
“ag ne penaoa 
ae u rq oc 1 . 
š (nforma ORMATION SECURITY 
IT - 801 (N)] 


tion from each Unit. 
Unit-I P " 
i ions in cryptography 
i (See Unit-I, Page 19, Q.17) 
10 
what can it be used for ? 
(See Unit-III, Page 132, Q.17) 


ues 
te Attempt any one q 
Note ' 


1, (a) What are t 
p) What is hash function and 

( 
Or 


ist in the desi 
can a security framework assist in 
y i ` 
F a a security infrastructure 


(b) Explain the following — 


jality (ii ity (iii) Availability 
(i) Confidentiality (ii) Integrity (iii) ee 7 


i tation 
gn and implementa i 


10 


What are s co u lic key infrastructure (Ë KI 10 
. . ) 9 
l onents of p b 1 I 


W h b ks to etric a etric encr yption are resolved 
wbac. symm nd asymm 
(b) at dra 


9 
z : iffie-Hellman : 
byusing a hybrid method like Di (See Unit-II, Page 78, Q.17) 


Or 


en 
4, (a) What is the difference betwe 
certificates ? 


digital signatures and digital 


ic and asymmetric 
i en symmetric an 
) tisthe fundamental difference apse pene 
(b) Whatis' 
k. Unit-III , o 
d in two modes. What are they ? 
in 


i 8, Q.68 
5. (a) IP sec can be use (See Unit-IV, Page 208, Q.68) 


d it take to crack 
how long woul k 
bit key, 56-bit key, ar 
of .GP.V., it is not included in syllabus 


+ m4 computer, 
Usi m m pentium 32. 
“i Y that is based on à 
ac 


syllabus 
**Now, according to new revised 


(See Unit-III, Page 146, Q.30) 10 


(1) E 


e859 CamScanner 


Or 
6. (2) Epli what is authentication and its types 


(>) Wiz do you mean by transport ky T 
- er 7 
Security (TLS) > . oh 
(See Unity l 
Unit-Ty Pager Q i 
7. (s) Wiz scomay protocols are predominantly used in 
commerce 7 
(See Unit- at 
(5) Explem the teams phishing attacks, SQL i arrest i 
< Injection attacks „7U 
£ id Ë 
- (a) What securisy protocols are used to protect e-mail 7 
| xë (See Unit-ry : 
(b) W "i 
) corey the most populer symmetric encryption katsu = 
(See Unit-1, Pa Mid 
Unit-V ii baa 


9. (a) Wha are web security problems ? Explain (See Unit IV. 


B.E. (Eighth Semester) 


= EXAMINATION, D 2011 
(Information Technology Engg. Branch) 
INFORMATION SECURITY 
(IT - 801) 
Note: A i it. Di 
ep er rs question from cach Unit. Differentiate columnwist 


properties, specified separately. Draw neat diagrams. 
Unit-I 


1. (a) Write the algorj 
gorithm, draw the flowchart : i 
C++ for Ceaser Cipher, Moet Se pei 


(b) Explain function of single round performed in each round of DES.10 


= (See Unit-1, Page 49, Q.41) 
“Now, according to new revised syllabus of FL.G.P.V-, it is not included in syllabus 


(2) 


me ë 


A 
| pow according to? B) 


Cryptography & Information Security 
Or 


Towing — 

f «te between the fo > ” 

(3) ae and Stream Cipher (See Unit-I, Page 64. Q-58) 

` @ Bloc I P ion (See Unit-I, Page 32. Q33) 
Diffusion 20 confus 


@ ipher modes of ion which use any encryption, 
- block cipher of operati T 
(b) gpm ape use only encryption. Draw complete and clear diagrams 
= wd (See Unit-I, Page 63, Q.55) 10 
of 2c 


5 each 


`. 


Unit-II 
Jain Euclidean algorithm. Solve the following using this algorithm — 
š Ass ss gcd (24140, 16762) (ü) Determine ged (4655, 12075) 
M I (See Unit-L Page 16 Prob3) 10 
Jain Diffie-Hellman key exchange algorithm using flowchart and 


@ pee (See Unit-II, Page 80, Q.20) 10 


3. ( 


Or 
( ) What are various requirements must be fulfilled by a Hash function ? 
, (a 
i (See Unit-III, Page 135, Q.19) 10 
(b) Find integer x such that — ** 10 
() 5x =4 (mod 3) 


(iii) 9x = 8 (mod 7) 


(i) 7x=6 (mod 5) 

(iv) 3x = 9 (mod 10) 

Unit-III I 

5, (a) What four irements were defined for Kerberos ? Explain. 10 

i (See Unit-IIL, Page 159, Q.43) 

(by Wt are the protocols that SSL comprised of ? Explain. 10 

(See Unit-IV, Page 222, Q.80) 
Or 

provided by the SSL record protocol ? 10 
(See Unit-IV, Page 219, Q.79) 

tute a full service Kerberos environments ? 10 


6. (a) What are the services 


tities conti 
(b) What en (See Unit-III, Page 157, Q.39) 
Unit-1V 
a involved in key generation in PGP. 10 


. the 
7. (a) Explain (See Unit-IV, Page 199, Q.55) 


ised syllabus of R.G.P.V. itis not included in syllabus 


Cryptography & Information Security 
Cryptography & Information Security 


Or ; 
i , ; se encryption 
(b) What is role of compression and encryption in the Operation h Block cipher modes ir dia Mele 10 
fay; ayplain suc! aw complete and clear dia . 
uty 7 (a) < decryption. Dr (See Unit-I, Page 63, Q.55) 
Or 4 Ip an ie 
8. (a) How can we prevent CSSV attacks ? atiate between the following ; ane 
i i í ; -I, Page 64, Q. 
(b) What are typical phases of Operation of a virus OF Worm 9 "1 b piffere k cipher and stream cipher (See Unit-I, Pag oan 
"PY i @ Bt nd confusion (See Unit-I, Page 32, Q 
, ; y piffusion a 
9. (a) List four techniques used by firewalls to control access and ¢ (ii) Di Unit-It a 
security policy. (See Unit-IV, Pape 178, gts rt notes on any two of the following : 
(b) What metrices are useful for profile based intrusion detectio oN 5, (a) Write sho (See Unit-III, Page 132, Q.16) 
are benefits that can be Provided by an intrusion detection system MI i (i) Hash value (See ati fit, Page 137, QD) 
i 10 5 “ih, 
(See Unit-IV, Page 194 (ii) Birthday ae (See Unit-II, Page 83, Q.21) 
1Q.47) in-the-middle attacks 
5 Gi) Mestine i d solve the following using above 
10.(a) Differentiate between the following - M (b) Explain Euclidean algorithm and so 10 
G) Statistical anomaly detection and rule based intrusion detection algorithm : 
(ii) Rule-based anomaly detection and rule 


ii i 24140, 16762) 
i 1066) (ii) Determine ged ( 
cl sa al | (See Unit-I, Page 17, Prob.4) 


based penetration identification 


(See Unit-Iv, Page 194, Q.49) 
wing — 


10 
(i) Application level gateway (See Unit-IV, Page 183, Q.28) 
(ii) Cookies 


(See Unit-IV, Page 217, Q.76) 
(iii) Secure HTTP 


hk 


Or 
(b) Write short notes on any two of the follo 


i h function ? 10 
isti needed in a secure has 
4, (a) What characteristics are sss kamaka PAN 1 
i i t the following : 
i i d using this algorithm encryp 
Jain RSA algorithm an a i I i 
a =11,e=7,M=5 (i)P=7,q=11,e=17, M 
ails (See Unit-II, Page 101, Prob.10) 10 
Unit-III 


i ion 5 of 
saci i es between version 4 and version 
5. (a) What are the principal differenc (See Unit-III, Page 160, Q.44) 10 
kerberos ? 


hat define an SSL session state. 
. he parameters t 

i briefly define t 

(b) List and 


B.E. (Eighth Semester) EXAMINATION, June, 2012, 
(Information Technology Engg. Branch) | 
INFORMATION SECURITY 
(IT - 801) 


Note ; Attempt an 


10 
(See Unit-IV, Page 219, Q.78) 
y one question from each Unit. Draw neat diagrams, Or a 
Differentiate columnwise on the basis of Properties, specified separately. difference between tunnel mode and transport mode 
is the di -IV, Page 209, Q.69) 
Unit-I 6. (a) What is (See Unit-IV, Pag , 
1. (a) Write algorithm, draw flowchart and also write a program in C++ for 
one time pad cipher. 


10 
10 

(See Unit-1, Page 44, Q.35) 
**Now, according to new revised syllabus of R.GP.V., it Is not included in syllabus 


(4) 


are provided by IPsec ? (See Unit-IV, Page 205, Q.64) 10 
ices 
ne Unit-IV 


ic transmission diagram in PGP and explain in brief. 10 
ric 


(b) What sè 
(b) Explain DES algorithm with the help of diagrams, . 


7. (a) Draw gene 


(See Unit-IV, Page 198, Q.54) 
(5) 


_ _ 
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(b) How does a worm Propagate ? 


Or 
8. (a) What sort of testin 


g can be performed in Order t à 
CSS attacks ? bass "Bains 


"Poss, 

(b) What is the role of compression in the Operation of a ie my l0 
s? 

Unit-V "lo 


9. (a) What are three benefits that can be provided by an intrus; 
system ? 


Tus 
(See Unit-IV, Page ian ost 


On 

9 
(b) What are the weaknesses of a packet filtering Touter ? p; a 
solution. (See Unit-IV, Page 183 an its 
Or n 

10.(a) Explain the Working of application level gateway, 

10 
(See Unit-IV, Page 183, Q.24) 
(b) Specify and explain classes of intruders. (See Unit-Iv, Page 189, Q.37) 19 
B.E. (Eighth Semester) EXAMINATION J | 
(Information Techn ee 


ology Engg. Branch 
INFORMATION SECURITY = 
(IT - 801) 


Note : All questions 


‘ Carry equal marks, Attempt any question from internal 
choice. 


Unit-l : 
1. (a) What is the difference between Passive and active Security threats ? 10 
(See Unit-IV, Page 169, Q.7) 
y keys are required for two People to communicate via a 
(See Unit-1, Page 20, Q.19) 10 


(b) How man 
cipher ? 


Or 


2. (a) Write a Program that can encrypt and decrypt using general caesar 
cipher also known as additive cipher.(See Unit-1, Page 42, Prob.10) 10 
(b) Which parameters and design choices determin 


€ the actual algorithm 
of a Feistel cipher ? What is the purpose of the S-boxes in DES ? 10 


(See Unit-1, p 
se 
**Now, according to new revised syllabus of R.GP.V., it is not inclu 


(6) 


age 51, Q.43) 
ded in syllabus 


|, (a) 


4. (2) 


cryptography & information Security 


Unit-II 
difference between modular arithmetic and ordinary 
what ie List three classes of polynomial arithmetic. 10 
i hmetic 
arithme 


(See Unit-I, Page 9, Q.9) 
i icati ic- to- 
oad categories of applications of public-key cryp 
(p) What aie ji (See Unit-II, Page 75, Q.13) 10 
systems Or 
t is an elliptic curve and what is zero point on elliptic curve ? 10 
Wha 


(See Unit-II, Page 103, Q.39) 
Jain digital signature standards in brief. (See Unit-III, Page 143, Q.27) 10 
yee Unit-III 


What are the problems associated with clean text passwords ? 10 
5, (a) 


k*k 


How does one prevent the misuse of another user’s certificate in 
b 


certificate based authentication ? ** 10 
Or 
i ** 10 
6. (a) Explain the security handshake pitfalls. Lo 
l (b) What is Kerberos ? How does Kerberos work ? 


(See Unit-III, Page 154, Q.37) 
Unit-IV - — 
injecti is thi b attack only ? 
(a) Explain SQL injection. Why is this for We ttacl , s 
, i ircuit gateway different from application gateway ? 
aoe (See Unit-IV, Page 183, Q.29) 
Or EM 
nea 9 
is phishi void phishing attacks ? 
Soy yee i =a firewall guards corporate networks 710 
— uapa aes (See Unit-IV, Page 175, Q.14) 
Unit-V Jeka 
ftware requirements ? Classi em into 
9, (a) What are the hardware en Gos Ua Pagerib.wan 10 
various eee viruses, worms and malwares. **10 
(b) Give differenc Or 
a better approach than VPN ? 10 


i S 
10.(a) Why would leased line & (Sce Unit-IV, Page 190, Q.41) 


syllabus of R.GP.V.„ itis not included in syllabus 
m 


= revised 
*eNow, according to neW 
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kak a a a A aa ui L A 


(b) List the char isti 
acteristics of a good firewall impl 
CMentati 
ation 


(S 
ce Unity “i 


Re 176 I 


B.E. (Eighth Sem 
ester) EXAM 
fi ; 
(In v INFOR wee AN 0 s Jung, 
(IT - 801) CURITy ch) 4 


Note: (i : 
° N There are ten questions with internal i 
(ii) Attempt any five from them las 
(iii) Assume missing data (if any). All questi 
Ons ca 


Unit-I ifii 
om, ü marks 
y is confidentiality an important Principle of | 
o Security ? 
(b) What is a wo ae . 
'orm ? i i “wasa 
worm and a virus ? What is the Significant differenc iyi ig 
(See Unit-IV. “< ‘ between 2 
2. (a) Whatis plaintext ? k: | W Ë 
xt? Why is monoalphabetic cipher diffi 
Mult to cr 
(b) Distinguish b sikian w 
. ow nit-I, 
een symmetric and asymmetric key ot a 
Cryptograph 
. ia 
a (See Unit-II, Page 74 
" nit-II — 


(a) ` 
What 1S an ini ect I t t Signific ? 


(See Unit-I, Page 53, Q.47) 
S trust in digital Signatures? 
(See Unit-II, Page 121, Q.6) 


(b) Whatis thei 
) at is the important aspect that establishe 


gl 
(See Unit-III, Page 124, Q.10) 


ese and Elliptic Curve 
€ Vnit-IT, Page 109, Q.42) 


(b) Give the main di 
differences betw 
Cryptography (ECC) ? etween RSA 


Unit-III 
(a) What is j i 
at 1s idea behind certification authority hierarch ? 
y 
(See Unit- 


u 


III, Page 147, Q.31) 


aN 


(8) 


(0) the tran 


yp 6 e 

ded ? 

between the application layer and 
(See Unit-IV, Page 225, Q.81) 


ak 
ear signed certificate Be 

why j; self SSL layer positioned 

why sport layer ? Or 


revent the misuse of another user’s certificate 1n 
ak 


(a) How. é i P authentication ? 
certificate eros? How does kerberos work ? 
) what! (See Unit-III, Page 154, Q.37) 
Unit-IV 


are some attacks called as passive ? Why are other attacks 
(See Unit-IV, Page 169, Q.7) 


? 


i (2) d active 
calle a ‘te about offering phishing prevention techniques. Whic 
ak 


inkand wn : 
) one of them would be most effective and why. 
Or 


orate networks ? 
(See Unit-IV, Page 176, Q.17) 
describe SQL injection attacks ? What are the techniques to 
9 How can we over come it? kN 
Unit-V 
(a) What are the limitations of a firewall ? (See Unit-IV, Page 177, Q.18) 
** 


What is significance of tunnel mode ? 
d bastion different from screened 


How isscreened host firewall, dual-home: 
host firewall, single homed bastion? (See Unit-IV, Page 187, Q.33) 
Or 


t of a cookie. 


(a) What are the two main attacks on corp 


How can you 
prevent them 


0) 


(See Unit-IV, Page 217, Q.76) 


10. (a) Discuss the concep 
How can cookies damage privacy? 
(b) What is the role of audit records in 
detail ? 


intrusion detection ? Explain in 
** 


B.E. (Eighth Semester) EXAMINATION, June, 2015 
(Information Technology Engg. Branch) 
JNFORMATION SE, 
(IT - 801) 


Note : (i) Attempt all questions with carry aaa, 
(i) Each unit have a internal ciowe 
Unit-I 
are output feedback mode with cipher feedback mode. 
(See Unit-I, Page 59, Q.52) 
syllabus of R.GP.V., it is not included in syllabus 


1. (a) Comp 


ised 
**Now, according to new revis 


(9) 


Cryptography & Information Security 
Cryptography & Information 96L% "y 


(See Unit-IV, Page 214, Q.75) 


b : . a 
(b) Explain the basic principles of information 
(See Unit-IV, Page 217, Q.76) 


(Sce Unit-Iy 


2, a Or Pa , 
(a) With the help ofa block diagram explain D Re 163 
ain ES 
©) Di h Cnceryption a IT-801 
Iscuss the various types of Son € ee Unit-r, Pag BE. (Eighth Semester) EXAMINATION, June 2016 
nalysis attacks °° INFORMATION SECURITY 
(See Unit-1 
i IN, 
3. (a) Write the difference b Unit-II Page 150,935 
Susa, ce between Conventional en ti i (i) Answer five questions. In each question part A, B, C is 
(b) Write a short note on RS (See Unien ne Public, _ compulsory and D part has internal choice. 
ae (See hen, be 74, Quy. GD All parts of each questions are to be attempted at one place. 
4. (a) Explain hash function; “i 18°90, Q29) (i) All questions carry equal marks, out of which part A and B 
ction in detail, : ax. 50 words) carry 2 marks, part C (Max. 100 words) carry 
(b) Describe Di (See Unit-tI m 
iffie-Hellman key E EPA a Page 132, Q19 3 marks, part D (Max. 400 words) carry 7 marks. 
u sis (iv) Except numericals, Derivation, Design and Drawing etc. 
See Unit- . P A = Ç 
Eme ati it-II, Page 80, Q20) 1. (a) Write any two difference between diffusion and confusion. 
Ive a overview of transport mod (See Unit-I, Page 33, Q.34) 
ode and tunnel mode. (b) What is the purpose of the S-boxes in DES ? 
(b) Explain secure socket la (See Unit-IV, Page 208 (See Unit-I, Page 51, Q.42) 
Yen (See Unit-IV, Page217 Pa, (c) Explain the avalanche effect. (See Unit-I, Page 52, Q.45) 
6. (a) Discuss various alert s kasu (d) Define playfair cipher and polyalphabetic cipher with suitable 
(b) Hots, u codes of TLS ? (See Unit-Iv Pape22 example. (See Unit-I, Page 30, Q.28) 
ecunty. > age 228, Q.84) 
(See Unit-IV, P. OF 
7. Explain cross Site scripti ae ERS) Encrypt the message “Cryptography” using the hill cipher with key 
to cross site tiene) & and phishing attacks ? How can you 9 4 
j ú Overcome [ ) Show your calculation. (See Unit-I, Page 37, Prob.7) 
8. Explain various Or f 5 1 
types of software threats in detail 2. (a) What is Euler’s totient ? (See Unit-I, Page 13, Q.13) 
i. d categories of application of public k 
(See Unit- (b) What are the three broa . ey 
Wend Unit-v IV, Page 167, Q.5) cryptosystems ? (See Unit-I1, Page 75, Q.13) 
h die notes (any four) — : (c) Explain factoring problemin RSA., (See Unit-Il, Page 93, Q.31) 
° ion detection (See Uni (d) Users A and B use the Diffie-Hellman key exchange technique a 
(b) Packet filters sa ae Page 187, Q.35) common prime q = 71 and a primitive root a = 7. 
ee Unit-IV, Pap . . 
(c) URL ; V, Page 183, Q.27) G) IfuserA has private key Xa = 5, what is A’s public key Y4 ? 
**Now, accordi `: i) [fuser B has private key Xp = 12, what is B’s public key Yp ? 
ccording to new revised syllabus of R.GP.V, it is not . i i a 
includedin syllabus (See Unit-II, Page 90, Prob.4) 
(10) (11) 
kk 
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Cryptography & information Security 
Or 
Explain elliptic curve cryptography with suitable eyampl 
pile, 


(See Unitary, p 
1. 


Ake iia í 
(a) In the context of Kerberos, What js realm ? Ag 


4) 
(See Unit-tn, Page 144 ¢ 

erberos 4 and Kerey.) 
(See Unit-III, p 


(b) Write any two difference between K 
ave 
(c) What is chain of certificate ? 


161 
OAS 
(dj E 


xplain secure socket layer and transport layer Security, ë 
(See Unit-IV, Page 22 
4,( 
Or 4, 
Discuss IP security in detail, 


, = (See Unit-Iv, Page 201, 0.29) 
4. (a) List different type of phishing attack, 
(b) List different types of viruses. ` 
(©) Differentiate between viruses and worms. 
(See Unit-Iv, Page 169, 6) 
(å) Define following term - 
(i) Format string 
(z) SOL injection attack. i 
Or ; 
Define E-mail security in detail, Why E-mail security is important? 
(See Unit-IV, Page 195,Q.50) 
£ 


(2) Why access control is more important in security ? 


(See Unit-IV, Page 179, Q.23) 
(b) Define uniform resource locator. as 
(c) Write difference between HTTP and HTTPS, 
(d) What is firewall ? List the t 
schematic dizgram of a pac 


ype of firewalls and explain. Draw a 
ket filtering router used as a firewalls. 


(See Unit-1v, Page 183, Q.26) 
il ce . 
**Now, according to new revised syllabus of R-GP.V. It Is not Included In syllabus 


(12) 


Securit 
Cryptography £ Information SC y 


Or 


ite a short notes — 


wr i 
(i) gnerypicd tunne 
I r 


(11) {DS 


(See Unlt-IV, Page 188, Q.36) 
(See Unit-LV, Page 187, 2.35) 


{7-401 2017 
; TION, June 
E. (Eighth Semester) EXAMINA 
a: INFORMATION SECURITY 


(i) Eight questions are there. 

(ii) Attempt five questions, 

(ii) All questions carry equal marks, "n op 
Define security. What are multiple layers of security ; 

(a) 


i i JCS of infi rmati 


a icate via a 
ired for two ies to communica 
2, (a) ua ay a are required for on H pt Page 20,0.19)7 
cipher ? Why ? Se 2 


7 
i irci ith suitable example. 
Ee (See Unit-l, Page 30, Q.27) 


° ( U , g , ) 


. Z 7 
inti tography and its applications. 
in Elliptic curve cryp p. 
eee (See Unit-II, Page 107, Q.41) 
What types of attacks are addressed by message authentication? 7 
~ (See Unit-I1I, Page 119, Q.A) 
What basic arithmetical and logical functions are “a 
(b) a 
irlpool ? f 
x constitutes a full-service Kerberos environment? 7 
s 4 (See Unit-III, Page 157, Q.39) 
Why does PGP generate a signature before applying compression? 7 
m (See Unit-IV, Page 199, Q.56) 
—— ring to new revised syllabus of R.G P.V. it is not included in syllabus 
## Now, acco 


Š (13) 


Note + 
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a ha eee) ge ee een 
é. (a) What is difon Ñ 

is difference between transport mode an l 

d tunn 
Cl ny 

Unity, ars c? ? 

9 
and Malwam 'Q.69) 


— (See 
(b) Give differences among Viruses, Worm 
SCS $ 


ta) What is HTTP ? How HTTP dit 


i et from HTTp 

(b) List icy define ws i 

a and briefly define three classes of Intruders š, 
? a S. What; 

! 7 (See Unity: At is 

S. Write short notes on any two — LEIN Page 189, a 


(a) Firewalls 


(b) Eavesdropping (See UnltIV, Page 195 6 M 
` kau 

(&) Difhe-Hcellman key exchange (S Š 
(d) SQL Injection. rennet, Page 80,029 
te 


IF-801 (GS) 
ester) EXAMINATION 


Note: (i) Attempt any five questions. 
(ii) All questions carry equal marks. 
1. (a) Differentiate substitution and 


am transposition ciphers with Suitable 
examp (See Unit-I, P. 

P | Page 32, Q.31) 

= SG cryptanalysis. Explain linear and differential 

np eae jh (See Unit-III, Page 148, Q.32) 


Purpose of the S boxes in DES ? Explain the avalanche 


j (See Unit-I, Page 5 
es f 3 Page 52, Q.44) 
1s steganography ? How is it differs from cryptography ? 


effect. 
(b) 


(See Unit-V, Page 245, Q.18) 


3; i i i 
(a) Briefly discuss Diffie-Hellman key exchange scheme 


(See Unit-yy Pa 
f f » Page 80, Q.20) 
(b) What is hash function ? Give the basic uses of hash functio 
n. 


(See Unit-y 
i II Pay 

, d 132, 0.17) 
Nom, according to new revised syllabus of RA3P. Vn ft Ís not Inctuded in syta 
pus 


(14) i 
a». 


Cryplograpny @ HNUTIE EOE” 


ature with arbitrated and direct approaches. 
(See Unit-ITT, Page 122, Q.8) 


Explain the architecture of 
(See Unit-IIl, Page 154, Q.37) 


(n) gxplain digital sigt 


p) What was Kerberos designed for ? 
(b 


Kerberos. 


Define following attacks in detail - 


(a) SQL injection attack 


(b) Phishing attack 
(c) Ransomware attack. 
(a) Define virus, intruders, worms. Also write the basic principle of 
intrusion detection system. (See Unit-IV, Page 189, Q.40) 

What is the use of firewall ? Explain firewall design principles. 
(See Unit-IV, Page 178, Q.20) 
7, (a) Define the terms Integrity, Confidentiality, Denial of Service and 
Authentication. (See Unit-IV, Page 166, Q.3) 

(b) Explain architecture of Secure Socket Layer. 

(See Unit-IV, Page 217, Q.77) 


ann 


Write short notes on any two — 
(a) IP spoofing 

(b) Brute force attack 

(c) Strength of DES 

(d) RSA encryption algorithm. 


go 


(See Unit-V, Page 231, Q.2) 
(See Unit-III, Page 153, Q.34) 
(See Unit-I, Page 46, Q.39) 
(See Unit-II, Page 90, Q.29) 


IT-8001 (CBGS) 
B.E. VIII Semester 
EXAMINATION, May 2019 
Choice Based Grading System (CBGS) 
INFORMATION SECURITY 


(i) Attempt any five questions. 
(H) All questions carry equal marks. 
(a) List and briefly define types of cryptanalytic attacks based on what 
is known to the attacker? (See Unit-IIf, Page 153, Q.35) 
riefly define the playfair cipher with taking a suitable example. 
(See Unit-I, Page 30, Q.27) 


— s rt 
AN, according to new revised syllabus of RLGP.V. it is not included in syllabus 
(15) 


Gà 


Note : 


1. 


(b) B 
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Cryptography & Information Security ; 


2. Encrypt the message “meet at the airport” using the Hill ciph 
e 


r With the 


9 4 
key | 5 a Show your calculation and the result. 


(See Unit-I, Page 4) Bà 
s Pro 
3. (a) What is the primitive root of a number ? " 


[See Unit-II, Page 88, Prob, 1 À 
public-ke i 
I, Page 75, Q.1 ; 
4, Perform the encryption and decryption using RSA alogirthm 


(b) What are the three board categories of applications of 
cryptosystems ? (See Unit- 


(i) p=3;q=l1l;e=7;m=5 
(i) p=11;q=13;e=17;m=8. 
(See Unit-II, Page 103, Prob.12) 
5. (a) Explain the concpet of kerberos ? How is it useful ? 
(See Unit-III, Page 157, Q.38) 
(b) Explain the internet key exchange protocol. 
(See Unit-IV, Page 213, Q.73) 
6. Explain the phishing and format string attack. Explain with tacking suitable 


example. = 
7. (a) What is penetration testing ? i 
(b) What is firewall and its types ? (See Unit-IV, Page 183, Q.25) 

8. Write a short notes (any three) — 
(i) Intrusion detection system (See Unit-IV, Page 187, Q.35) 
(ii) Email security (See Unit-IV, Page 196, Q.51) 
(iii) Socket secure layer (See Unit-IV, Page 217, Q.77) 
(iv) Web Security and cookies. (See Unit-IV, Page 217, Q.79) 
feelers 


**Now, according to new revised syllabus of R.G.P.V., it is not included in syllabus 


(16) 
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